The latest articles on DEV Community by Suraj Khaitan (@suraj_khaitan_f893c243958). https://dev.to/suraj_khaitan_f893c243958 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2130149%2Fe5132e15-d188-49bb-986e-43d967f20723.jpg https://dev.to/suraj_khaitan_f893c243958 en Suraj Khaitan Sat, 04 Apr 2026 14:41:02 +0000 https://dev.to/suraj_khaitan_f893c243958/we-gave-an-ai-agent-our-design-system-and-let-it-build-our-frontend-heres-what-happened-2hde https://dev.to/suraj_khaitan_f893c243958/we-gave-an-ai-agent-our-design-system-and-let-it-build-our-frontend-heres-what-happened-2hde <p><em>How a custom GitHub Copilot agent with strict architectural guardrails turned feature delivery from days into hours on a multi-tenant enterprise platform</em></p> <h2> The Problem Nobody Talks About in Enterprise Frontend </h2> <p>Enterprise frontend development is slow. Not because developers can't write React components — they can — but because <strong>90% of the work isn't writing code. It's alignment.</strong></p> <p>Which design tokens do I use? Where does this component go? How do I wire the API? What's the naming convention for hooks? Which state manager handles this? How do I handle dark mode? Did I forget the MSW handler for tests?</p> <p>On our team building an <strong>enterprise multi-tenant GenAI platform</strong> — managing agents, tools, and knowledge bases across a large manufacturing conglomerate — the friction was even worse. We have:</p> <ul> <li>A <strong>custom corporate design system</strong> with 360+ Tailwind tokens (no generic <code>gray-500</code> allowed)</li> <li> <strong>8 feature modules</strong> with strict feature-first architecture</li> <li> <strong>OpenAPI codegen</strong> that generates TypeScript types from a FastAPI backend</li> <li> <strong>MSW (Mock Service Worker)</strong> for development and testing</li> <li>A <strong>7-tier RBAC system</strong> with route-level access guards</li> <li> <strong>Light/dark mode</strong> using class-based Tailwind (<code>dark:</code> variants on everything)</li> <li> <strong>i18n</strong> for English and German</li> </ul> <p>Every new component is a decision tree. Every junior developer ramp-up takes weeks. Every code review catches the same "you used <code>bg-white</code> instead of <code>bg-background-base</code>" mistake.</p> <p>So we did something different: <strong>we encoded our entire frontend architecture into an AI agent and let it build features for us.</strong></p> <h2> TL;DR (If You Skim, Skim This) </h2> <ul> <li> <strong>Problem:</strong> Enterprise frontend velocity bottlenecked by architectural complexity, design system compliance, and cross-cutting concerns (auth, theming, mocking, i18n).</li> <li> <strong>Move:</strong> Built a custom VS Code agent (<code>.github/agents/FrontendAgent.agent.md</code>) that knows our design system, file structure, state management strategy, and API codegen pipeline.</li> <li> <strong>Result:</strong> Feature scaffolding that used to take a day now takes minutes. The agent produces design-system-compliant, dark-mode-ready, MSW-wired, type-safe code on the first pass.</li> <li> <strong>Tradeoff:</strong> You need to invest upfront in writing precise agent instructions. Vague prompts produce vague code — garbage in, garbage out.</li> </ul> <h2> Why Not Just Use Copilot Out of the Box? </h2> <p>We did. Here's what vanilla Copilot (without custom instructions) gave us:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// ❌ What generic Copilot produced</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"bg-white dark:bg-gray-900 p-4 rounded-lg shadow-md"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span> <span class="na">className</span><span class="p">=</span><span class="s">"text-gray-900 dark:text-white text-xl font-bold"</span><span class="p">&gt;</span> Tenants <span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </code></pre> </div> <p>Every single token is wrong. <code>bg-white</code> should be <code>bg-background-base</code>. <code>text-gray-900</code> should be <code>text-text-normal</code>. <code>p-4</code> should be <code>p-400</code>. <code>rounded-lg</code> should be <code>rounded-m</code>. <code>font-bold</code> should be <code>font-bold font-primary</code>.</p> <p>Multiply that across 18 shared components, 8 feature modules, and hundreds of sub-components, and you're spending more time fixing AI output than you saved generating it.</p> <p>The realization: <strong>an AI assistant is only as good as its context.</strong> Generic Copilot doesn't know your design system. It doesn't know your file conventions. It doesn't know that you use TanStack Query with a 5-minute stale time and 2 retries, not SWR or Redux Toolkit Query.</p> <p>So we gave it all of that context. Explicitly. In a single agent definition file.</p> <h2> The Architecture: A 200-Line Agent That Knows Everything </h2> <p>GitHub Copilot supports custom agents via markdown files in <code>.github/agents/</code>. Ours lives at:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>.github/agents/FrontendAgent.agent.md </code></pre> </div> <p>It's a single file that encodes every architectural decision our team has made. Think of it as a <strong>machine-readable engineering handbook</strong> — the same document that would take a new hire two weeks to internalize, distilled into structured instructions an AI can execute against.</p> <p>Here's how we structured it:</p> <h3> 1. Design System as Code (Not Suggestions) </h3> <p>We don't tell the agent "try to use our design tokens." We tell it these are the <strong>only</strong> tokens that exist:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code>DESIGN SYSTEM &amp; THEMING (MANDATORY) <span class="p">-</span> Use corporate design tokens only (NO generic Tailwind colors like gray-500/blue-600). <span class="p">-</span> Always include dark mode variants (class-based: darkMode: 'class'). <span class="p">-</span> Semantic tokens examples: <span class="p"> -</span> Colors: bg-background-base, bg-background-surface, text-text-normal, border-line-weak, bg-action, bg-status-error <span class="p"> -</span> Spacing: p-400 (16px), m-600 (24px), gap-300 (12px) <span class="p"> -</span> Typography: text-400, font-primary, font-secondary, font-bold <span class="p"> -</span> Borders: rounded-m, border-s <span class="p"> -</span> Transitions: duration-medium-1, ease-in-out <span class="p">-</span> Reference: src/frontend/THEME_GUIDE.md </code></pre> </div> <p>The word "MANDATORY" isn't decoration. The agent treats sections labeled as mandatory as hard constraints, not preferences. When it generates a card component now:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// ✅ What the custom agent produces</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="err">"</span><span class="na">bg-background-surface</span> <span class="na">dark</span><span class="err">:</span><span class="na">bg-dark-background-surface</span> <span class="na">p-400</span> <span class="na">rounded-m</span> <span class="na">shadow-card</span> <span class="na">border</span> <span class="na">border-line-weak</span> <span class="na">dark</span><span class="err">:</span><span class="na">border-dark-line-weak</span> <span class="na">transition-all</span> <span class="na">duration-medium-1</span> <span class="na">ease-in-out</span><span class="err">"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">h1</span> <span class="na">className</span><span class="p">=</span><span class="err">"</span><span class="na">text-text-normal</span> <span class="na">dark</span><span class="err">:</span><span class="na">text-dark-text-normal</span> <span class="na">text-400</span> <span class="na">font-primary</span> <span class="na">font-bold</span><span class="err">"</span><span class="p">&gt;</span> Tenants <span class="p">&lt;/</span><span class="nt">h1</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> </code></pre> </div> <p>Every token is from our design system. Dark mode is included. Transitions use our timing tokens. No manual corrections needed.</p> <h3> 2. Feature-First File Structure (Encoded, Not Implied) </h3> <p>We explicitly map the file tree so the agent places files correctly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code>FRONTEND ARCHITECTURE &amp; CONVENTIONS <span class="p">-</span> Feature-first organization: src/frontend/src/ features/{feature}/ api/ // Axios client functions components/ // UI components hooks/ // Feature hooks pages/ // Route-level pages components/ // Shared components contexts/ // Auth, Theme, Tenant contexts lib/ // Utilities <span class="p">-</span> Import alias: @/ → src/ <span class="p">-</span> Naming: Components = PascalCase, Hooks = camelCase with 'use', API files = {feature}Api.ts, Contexts = {Name}Context.tsx </code></pre> </div> <p>When we ask the agent to build a "knowledge base management feature," it doesn't create a flat <code>KnowledgeBase.tsx</code> in the root. It scaffolds:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>src/features/knowledgebase/ ├── api/ │ └── knowledgebaseApi.ts ├── components/ │ ├── KnowledgeBaseList.tsx │ └── CreateKnowledgeBaseDialog.tsx ├── hooks/ │ └── useKnowledgeBases.ts ├── pages/ │ └── KnowledgeBasePage.tsx └── types/ └── index.ts </code></pre> </div> <p>Correct directory. Correct naming. Correct separation of concerns. Every time.</p> <h3> 3. State Management: Pick the Right Tool Automatically </h3> <p>We encode our state management decision tree:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code>STATE &amp; DATA <span class="p">-</span> Server state: TanStack Query (staleTime 5 min, retries: 2) <span class="p">-</span> Global auth: UserInfoProvider (contexts/AuthContext.tsx) <span class="p">-</span> Theme: ThemeProvider <span class="p">-</span> Local state: useState/useReducer (NO Redux/Zustand) <span class="p">-</span> Error handling: <span class="p"> -</span> Wrap TanStack Query errors with Sonner toasts <span class="p"> -</span> ErrorBoundary component with design tokens <span class="p"> -</span> "Access Lost" interceptor: clear tenant, redirect, show toast </code></pre> </div> <p>Now when the agent generates a data-fetching hook, it doesn't reach for <code>useEffect</code> + <code>fetch</code> or SWR. It produces exactly what our codebase expects:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">useKnowledgeBases</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">sessionId</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useAuth</span><span class="p">();</span> <span class="k">return</span> <span class="nx">useQuery</span><span class="o">&lt;</span><span class="nx">KnowledgeBase</span><span class="p">[],</span> <span class="nb">Error</span><span class="o">&gt;</span><span class="p">({</span> <span class="na">queryKey</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">knowledgebases</span><span class="dl">'</span><span class="p">],</span> <span class="na">queryFn</span><span class="p">:</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="nx">knowledgebaseApi</span><span class="p">.</span><span class="nf">getKnowledgeBases</span><span class="p">(</span><span class="nx">sessionId</span> <span class="k">as</span> <span class="kr">string</span><span class="p">),</span> <span class="na">enabled</span><span class="p">:</span> <span class="o">!!</span><span class="nx">sessionId</span><span class="p">,</span> <span class="na">retry</span><span class="p">:</span> <span class="mi">2</span><span class="p">,</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <p>Session-aware. Query-key namespaced. Auth-gated with <code>enabled</code>. Retry count matching our standard. This is exactly what our human-written hooks look like — because the agent learned from the same conventions.</p> <h2> The Secret Weapon: MSW-First Development </h2> <p>Here's where it gets interesting. Our agent doesn't just generate UI components — it generates the <strong>entire mock layer</strong> alongside them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code>MSW-FIRST DEVELOPMENT <span class="p">-</span> Use MSW (Mock Service Worker) during UI work—dev server and tests. <span class="p">-</span> Location: src/frontend/src/mocks/ <span class="p">-</span> Handlers: <span class="p"> -</span> Realistic delays: 300–800ms <span class="p"> -</span> Simulate ~5% errors <span class="p"> -</span> Validate required fields and return error shapes consistent with backend </code></pre> </div> <p>When we ask the agent to build a new feature, the output includes MSW handlers with realistic data:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Generated MSW handler for knowledge bases</span> <span class="nx">http</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/knowledgebases</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Simulate realistic network delay</span> <span class="k">await</span> <span class="nf">delay</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">*</span> <span class="mi">500</span> <span class="o">+</span> <span class="mi">300</span><span class="p">);</span> <span class="c1">// 5% error rate simulation</span> <span class="k">if </span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">&lt;</span> <span class="mf">0.05</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">HttpResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">detail</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Internal server error</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">500</span> <span class="p">}</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">HttpResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">items</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="dl">'</span><span class="s1">kb-001</span><span class="dl">'</span><span class="p">,</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Production Manual - North Plant</span><span class="dl">'</span><span class="p">,</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">S3</span><span class="dl">'</span><span class="p">,</span> <span class="na">status</span><span class="p">:</span> <span class="dl">'</span><span class="s1">ACTIVE</span><span class="dl">'</span><span class="p">,</span> <span class="na">documentCount</span><span class="p">:</span> <span class="mi">1247</span><span class="p">,</span> <span class="na">lastSynced</span><span class="p">:</span> <span class="dl">'</span><span class="s1">2026-04-03T14:30:00Z</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="c1">// ... more realistic domain-contextualized data</span> <span class="p">],</span> <span class="p">});</span> <span class="p">}),</span> </code></pre> </div> <p>This means the agent produces <strong>runnable features from the first prompt</strong>. No waiting for the backend team. No dummy <code>setTimeout</code> hacks. The UI renders with realistic data, realistic latency, and realistic error states immediately.</p> <h2> Backend as Source of Truth: The Codegen Bridge </h2> <p>One of our strongest architectural decisions was making the agent aware of our OpenAPI codegen pipeline:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code>BACKEND AS SOURCE OF TRUTH (SPEC SYNC) <span class="p">-</span> Backend is authoritative. FastAPI + Pydantic (code-first). <span class="p">-</span> Frontend must use generated TypeScript types and API client only. <span class="p">-</span> Codegen: pnpm api:codegen <span class="p">-</span> After codegen, run git diff: <span class="p"> -</span> If there is a diff, surface: "Frontend types are stale relative to backend OpenAPI" and include diff summary. </code></pre> </div> <p>Our codegen setup (<code>openapi-ts.config.ts</code>) generates types, SDK methods, and even TanStack Query hooks directly from the backend's OpenAPI spec:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// openapi-ts.config.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">defineConfig</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@hey-api/openapi-ts</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="nf">defineConfig</span><span class="p">({</span> <span class="na">client</span><span class="p">:</span> <span class="dl">'</span><span class="s1">@hey-api/client-fetch</span><span class="dl">'</span><span class="p">,</span> <span class="na">input</span><span class="p">:</span> <span class="dl">'</span><span class="s1">http://localhost:8000/openapi.json</span><span class="dl">'</span><span class="p">,</span> <span class="na">output</span><span class="p">:</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">src/client</span><span class="dl">'</span><span class="p">,</span> <span class="na">format</span><span class="p">:</span> <span class="dl">'</span><span class="s1">prettier</span><span class="dl">'</span> <span class="p">},</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">@tanstack/react-query</span><span class="dl">'</span><span class="p">,</span> <span class="na">queryOptions</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">mutationOptions</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">'</span><span class="s1">@hey-api/typescript</span><span class="dl">'</span><span class="p">,</span> <span class="na">enums</span><span class="p">:</span> <span class="dl">'</span><span class="s1">javascript</span><span class="dl">'</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">});</span> </code></pre> </div> <p>When the agent starts a task, it checks whether the generated types are current. If they've drifted, it flags it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>⚠️ SPEC MISMATCH: Frontend types are stale. - Missing field: `retryCount` on PromotionEvent - New enum value: `ROLLED_BACK` in PromotionStatus Running `pnpm api:codegen` to sync... </code></pre> </div> <p>This prevents the classic "the UI expects a field the API doesn't send" bug that usually surfaces at 11 PM on a Friday.</p> <h2> Autonomy Levels: Controlling the Blast Radius </h2> <p>We don't always want the agent to write production code. Sometimes we want a plan. Sometimes a scaffold. Sometimes the full implementation.</p> <p>So we built three autonomy levels:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code>AUTONOMY LEVELS (Default = Level 2) <span class="p">-</span> Level 1: Plan Only → Step-by-step plan, file paths, component signatures. No code changes. <span class="p">-</span> Level 2: Plan + Scaffold → Create files, stubs, routing/context wiring, MSW handlers. Minimal UI with tokens; TODO comments. <span class="p">-</span> Level 3: Full Implementation → Complete feature including styling, tests, mocks, docs, and ready-to-run commands. </code></pre> </div> <p><strong>Level 1</strong> is for architecture discussions. "How would you build a promotion approval workflow?" The agent produces a plan, lists affected files, and maps component relationships — without touching a single file.</p> <p><strong>Level 2</strong> (the default) is our workhorse. The agent creates the file structure, wires routes and contexts, sets up MSW handlers, and builds minimal UI with correct tokens. Developers fill in the business logic.</p> <p><strong>Level 3</strong> is for well-defined features with clear specs. The agent produces everything: components, hooks, API functions, MSW handlers, unit tests, and even the <code>pnpm</code> commands to verify the output.</p> <h2> The Agent Lifecycle: Not Just "Generate Code" </h2> <p>What separates this from a glorified code generator is the <strong>end-to-end lifecycle</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code>END-TO-END AGENT LIFECYCLE Phase A — Plan <span class="p">-</span> Outline goals, dependencies, spec sync (codegen), and scope. <span class="p">-</span> Note any backend spec gaps (SPEC MISMATCH section). Phase B — Implement <span class="p">-</span> Apply scaffolding/implementation per autonomy level. <span class="p">-</span> Add MSW handlers and tests. Phase C — Validate <span class="p">-</span> Run typecheck, build, tests; verify codegen freshness. Phase D — Deliver <span class="p">-</span> Provide diffs, test plan, run commands, and follow-up concerns. </code></pre> </div> <p>The agent doesn't just output code and walk away. It:</p> <ol> <li> <strong>Plans</strong> — analyzing the request against the existing codebase</li> <li> <strong>Syncs</strong> — running codegen to ensure types are fresh</li> <li> <strong>Implements</strong> — generating code compliant with every convention</li> <li> <strong>Validates</strong> — running <code>pnpm frontend:quality</code> (typecheck + lint + format)</li> <li> <strong>Delivers</strong> — providing exact commands to test its output</li> </ol> <p>That validation step is key. If the agent generates code with a type error, it catches it in the same session and fixes it. The developer receives working code, not a first draft.</p> <h2> Real Output: What It Looks Like in Practice </h2> <p>Here's a real interaction. We asked the agent:</p> <blockquote> <p>"Build a deployment management page for the tenant feature. It should show a table of deployments with status badges, and a dialog to trigger new deployments."</p> </blockquote> <p>The agent produced:</p> <p><strong>8 files created:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>src/features/tenants/pages/DeploymentsPage.tsx src/features/tenants/components/DeploymentTable.tsx src/features/tenants/components/DeployAgentDialog.tsx src/features/tenants/hooks/useDeployments.ts src/features/tenants/types/deployment.ts src/mocks/handlers/deployments.ts src/features/tenants/components/__tests__/DeploymentTable.test.tsx </code></pre> </div> <p><strong>Every file followed conventions:</strong></p> <ul> <li>Design tokens, not raw Tailwind</li> <li>Dark mode variants on every element</li> <li>TanStack Query with proper query keys</li> <li>MSW handlers with realistic delays and 5% error simulation</li> <li>Radix Dialog for the deployment trigger</li> <li>Sonner toasts for success/error feedback</li> <li>Route guard with <code>RequireDeveloperAccess</code> </li> </ul> <p><strong>Zero manual corrections</strong> to the design system usage. One adjustment to a business logic edge case (handling a deployment state we hadn't documented). Total time from prompt to PR-ready code: <strong>~20 minutes</strong> including review. Previous estimate for the same feature: <strong>1–2 days</strong>.</p> <h2> The Pitfalls (A.K.A. What Bit Us So It Doesn't Bite You) </h2> <h3> 1. Vague Instructions = Vague Code </h3> <p>Our first agent definition was 40 lines. It produced code that was "close but not quite." The spacing tokens were right but the color tokens were generic. The file structure was feature-first but the naming was inconsistent.</p> <p><strong>Fix:</strong> We expanded to 200+ lines with explicit examples, explicit anti-patterns ("NO generic Tailwind"), and references to real files in the repo. The more specific your instructions, the more accurate the output.</p> <h3> 2. The Agent Doesn't Know What Changed Yesterday </h3> <p>If you add a new design token or change a convention and don't update the agent file, it'll use the old pattern. The agent definition is a living document — it needs to be maintained alongside the codebase.</p> <p><strong>Fix:</strong> We added agent definition updates to our PR checklist. Changed a convention? Update <code>FrontendAgent.agent.md</code> in the same PR.</p> <h3> 3. MSW Handlers Can Drift from Reality </h3> <p>The agent generates mock handlers based on its understanding of the API. But if the real API has quirks (pagination cursors, non-standard error shapes, optional fields), the mocks might not match.</p> <p><strong>Fix:</strong> We added the <code>SPEC MISMATCH</code> protocol. The agent explicitly flags when it's making assumptions about the API, so developers know which mocks need validation against the real backend.</p> <h3> 4. Over-Reliance Kills Understanding </h3> <p>The fastest way to create a team that doesn't understand its own codebase is to let the agent write everything without review. We use the agent as a <strong>force multiplier</strong>, not a replacement.</p> <p><strong>Fix:</strong> We default to Level 2 (scaffold), not Level 3 (full implementation). Developers fill in remaining business logic, which ensures they understand the code they're shipping.</p> <h3> 5. Token Stuffing — There's a Context Window Limit </h3> <p>Our agent instructions are 200+ lines, the theme guide is another 300+, and the copilot instructions are 150+. Some LLMs struggle with this much context.</p> <p><strong>Fix:</strong> We keep the agent file focused on <strong>rules and patterns</strong>, not exhaustive token lists. The agent references <code>THEME_GUIDE.md</code> for the full token catalogue rather than embedding it inline.</p> <h2> The Numbers </h2> <p>Before the custom agent:</p> <ul> <li> <strong>Feature scaffolding:</strong> 4–8 hours (file creation, routing, context wiring, mock setup)</li> <li> <strong>Design system violations per PR:</strong> 3–5 (wrong tokens, missing dark mode)</li> <li> <strong>Time to first rendered component:</strong> 2–4 hours (waiting for mock data setup)</li> <li> <strong>New developer ramp-up:</strong> 2–3 weeks to internalize conventions</li> </ul> <p>After the custom agent:</p> <ul> <li> <strong>Feature scaffolding:</strong> 15–30 minutes</li> <li> <strong>Design system violations per PR:</strong> 0–1</li> <li> <strong>Time to first rendered component:</strong> Under 10 minutes (MSW handlers generated alongside UI)</li> <li> <strong>New developer ramp-up:</strong> Days — they read the agent file and see the patterns</li> </ul> <p>The scaffolding speedup alone is <strong>10–15x</strong>. But the real win is <strong>consistency</strong>. Every feature looks like every other feature. Every hook follows the same pattern. Every mock handler has the same structure. The codebase feels like it was written by one very disciplined developer, not a rotating team of six.</p> <h2> When You Should <em>Not</em> Use This Pattern </h2> <ul> <li> <strong>Greenfield prototypes</strong> — if you're still deciding on conventions, you don't have enough patterns to encode. The agent amplifies consistency; it can't create it from nothing.</li> <li> <strong>Small teams with one frontend developer</strong> — if one person owns the entire frontend, the conventions live in their head. The agent adds overhead without proportional benefit.</li> <li> <strong>Frequently changing architecture</strong> — if you're rewriting your state management strategy every sprint, the agent definition will always be stale. Stabilize first, then encode.</li> </ul> <h2> A Practical Implementation Checklist </h2> <p>If you want to build your own frontend agent:</p> <ul> <li>[ ] <strong>Document your design system</strong> in a machine-readable format (we use a Tailwind config + theme guide)</li> <li>[ ] <strong>Map your file structure</strong> explicitly — feature directories, naming conventions, import aliases</li> <li>[ ] <strong>Encode your state management rules</strong> — which tool for which type of state, and why</li> <li>[ ] <strong>Define your API integration pattern</strong> — codegen pipeline, client library, error handling</li> <li>[ ] <strong>Include anti-patterns</strong> — what NOT to do is as important as what to do</li> <li>[ ] <strong>Add autonomy levels</strong> — give developers control over how much the agent does</li> <li>[ ] <strong>Wire in validation</strong> — the agent should run your lint/typecheck/build as part of its output</li> <li>[ ] <strong>Reference, don't embed</strong> — point to config files rather than duplicating 360 lines of tokens</li> <li>[ ] <strong>Add a lifecycle</strong> — plan, implement, validate, deliver — not just "generate code"</li> <li>[ ] <strong>Maintain it like code</strong> — update the agent file in the same PR as convention changes</li> <li>[ ] <strong>Start with scaffold mode</strong> — let developers fill in business logic to maintain understanding</li> <li>[ ] <strong>Include MSW patterns</strong> — mock-first development is essential for frontend agent velocity</li> </ul> <h2> The Deeper Insight: Agents Are Architecture Documentation That Executes </h2> <p>The most unexpected benefit wasn't speed. It was <strong>documentation</strong>.</p> <p>Our <code>FrontendAgent.agent.md</code> file is the most accurate, most up-to-date description of our frontend architecture. Not because we wrote documentation — we hate writing documentation — but because <strong>if the agent file is wrong, the generated code is wrong, and someone fixes the agent file.</strong></p> <p>It's documentation with a built-in feedback loop. When the agent produces a component with the wrong token, the developer who catches it updates the agent instructions. The next generation is correct. Over time, the agent file converges on a precise description of how the codebase actually works.</p> <p>Compare that to a Confluence page that was last updated eight months ago.</p> <h2> What's Next: The Agent Becomes the PR Reviewer </h2> <p>We're exploring using the same agent instructions as a <strong>code review agent</strong>. If the agent knows every convention, it should be able to flag violations in PRs automatically:</p> <ul> <li>"This component uses <code>bg-gray-100</code> — should be <code>bg-background-surface</code>"</li> <li>"This hook is in <code>src/components/</code> — should be in <code>src/features/tenants/hooks/</code>"</li> <li>"Missing dark mode variant on <code>text-text-normal</code>"</li> <li>"MSW handler missing for new <code>/api/promotions/:id/approve</code> endpoint"</li> </ul> <p>Same knowledge, different mode. Build in one direction, verify in the other.</p> <h2> Closing: The Best Frontend Engineer on Your Team Doesn't Sleep </h2> <p>An AI agent with the right instructions isn't a replacement for your frontend team. It's the <strong>most consistent</strong> member of your frontend team. It never forgets a dark mode variant. It never uses the wrong spacing token. It never puts a hook in the wrong directory.</p> <p>But it also doesn't make product decisions. It doesn't architect from scratch. It doesn't push back on a bad spec.</p> <p>The sweet spot is composing human judgment with machine consistency. You decide <em>what</em> to build. The agent scaffolds <em>how</em> — following every convention, every token, every pattern your team has established.</p> <p>And when it's 4 PM on a Friday and the PM says "we need one more feature page before the demo," you can spin up a complete, design-system-compliant, dark-mode-ready, MSW-wired, type-safe scaffold in 15 minutes instead of 4 hours.</p> <p>That's not magic. That's architecture, encoded.</p> <p><em>How are you using AI agents in your frontend workflow? Are you encoding project-specific knowledge, or using generic assistants? I'd love to hear what patterns are working for teams at scale — drop a comment.</em></p> <h2> Resources </h2> <ul> <li>GitHub Copilot: <a href="https://docs.github.com/en/copilot/customizing-copilot/adding-repository-custom-instructions-for-github-copilot" rel="noopener noreferrer">Custom Instructions</a> — how to add project-specific context</li> <li>MSW: <a href="https://mswjs.io/" rel="noopener noreferrer">Mock Service Worker</a> — API mocking for browser and Node.js</li> <li>Hey API: <a href="https://heyapi.dev/" rel="noopener noreferrer">OpenAPI TypeScript Codegen</a> — generate types and clients from OpenAPI specs</li> <li>TanStack Query: <a href="https://tanstack.com/query/latest" rel="noopener noreferrer">React Query</a> — server state management</li> <li>Tailwind CSS: <a href="https://tailwindcss.com/docs/theme" rel="noopener noreferrer">Design Tokens</a> — custom theme configuration</li> <li>Radix UI: <a href="https://www.radix-ui.com/" rel="noopener noreferrer">Headless Primitives</a> — accessible UI components without default styles</li> </ul> <h2> About the Author </h2> <p><strong>Suraj Khaitan</strong> — Gen AI Architect | Building scalable platforms and AI-augmented engineering workflows</p> <p>Connect on <a href="https://www.linkedin.com/in/suraj-khaitan-501736a2/" rel="noopener noreferrer">LinkedIn</a> | Follow for more engineering and architecture write-ups</p> ai agents aws frontend Suraj Khaitan Sat, 14 Mar 2026 10:32:45 +0000 https://dev.to/suraj_khaitan_f893c243958/-i-mass-terminated-my-copilot-plans-heres-why-claude-code-won-321a https://dev.to/suraj_khaitan_f893c243958/-i-mass-terminated-my-copilot-plans-heres-why-claude-code-won-321a <p><em>How an agentic AI in the terminal replaced my IDE plugins, scaffold scripts, and half my Stack Overflow tabs—without ever opening a GUI</em></p> <h2> The Moment I Realized My Coding Workflow Was a Lie </h2> <p>Every developer eventually hits the same wall:</p> <blockquote> <p>"I have 4 AI extensions, 12 keyboard shortcuts, and I'm still copy-pasting code between a chatbot and my editor."</p> </blockquote> <p>Tab-complete autocomplete? Great for variable names. IDE chat panels? Nice for explaining regex. But the moment you need an AI to <strong>actually understand your codebase, edit 14 files, run your tests, and fix its own mistakes</strong>—the shiny plugins fall apart.</p> <p>Then I tried something that felt reckless:</p> <blockquote> <p>I gave an AI full access to my terminal.</p> </blockquote> <p>Specifically: <strong>Claude Code—Anthropic's agentic coding tool that lives in your CLI, reads your repo, writes real code, and executes commands.</strong></p> <p>I haven't looked back.</p> <h2> TL;DR (If You Only Read One Section) </h2> <ul> <li> <strong>Problem:</strong> AI coding assistants that autocomplete lines can't architect solutions. Chat-based tools require endless copy-paste.</li> <li> <strong>Move:</strong> Claude Code operates as an agentic AI <em>inside your terminal</em>—it reads, writes, runs, and iterates autonomously.</li> <li> <strong>Result:</strong> Multi-file refactors in minutes. Bug fixes with zero context switching. Git workflows handled conversationally.</li> <li> <strong>Tradeoff:</strong> You're trusting an agent with shell access. Guardrails and review discipline matter more than ever.</li> </ul> <h2> Why Claude Code Is Trending Right Now </h2> <p>Scroll through any dev community in 2025–2026, and you'll see the same frustration:</p> <ul> <li>"Copilot autocomplete is nice but it doesn't <em>think</em>."</li> <li>"ChatGPT is smart but it doesn't know my codebase."</li> <li>"I spend more time prompt-engineering than actual engineering."</li> </ul> <p>Claude Code hits different because it collapses the gap between <strong>knowing</strong> and <strong>doing</strong>. It doesn't suggest code in a sidebar—it <em>implements changes directly in your repo</em>, runs your test suite, reads the errors, and fixes them. In a loop. Without you alt-tabbing once.</p> <p>The industry term is <strong>agentic coding</strong>. And it's not a buzzword anymore—it's a workflow.</p> <h2> What Even <em>Is</em> Claude Code? </h2> <p>Claude Code is a command-line tool from Anthropic. You install it, point it at a project, and talk to it like a senior developer sitting next to you.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install it</span> npm <span class="nb">install</span> <span class="nt">-g</span> @anthropic-ai/claude-code <span class="c"># Start it in your project</span> <span class="nb">cd </span>my-project claude </code></pre> </div> <p>That's it. No VS Code extension to configure. No API keys to paste into settings.json. No "select model" dropdown with 47 options.</p> <p>You get a REPL-like interface where you type natural language, and Claude:</p> <ol> <li> <strong>Reads</strong> your files and project structure</li> <li> <strong>Plans</strong> the changes needed</li> <li> <strong>Writes</strong> the code across multiple files</li> <li> <strong>Runs</strong> commands (tests, builds, linters)</li> <li> <strong>Iterates</strong> if something breaks</li> </ol> <p>It's like pair programming—except your pair never gets tired, never forgets the module structure, and never says "let me think about that" for 45 minutes.</p> <h2> Real Workflows That Made Me a Believer </h2> <h3> 1) The "Refactor 30 Files" Moment </h3> <p>I needed to migrate an API layer from Axios to a custom fetch wrapper. With traditional AI tools, that's:</p> <ul> <li>Explain the pattern in a chat</li> <li>Copy the suggestion</li> <li>Paste it into File 1</li> <li>Realize it doesn't match my error handling</li> <li>Re-explain</li> <li>Repeat 29 more times</li> </ul> <p>With Claude Code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; Refactor all API calls in src/features/ from axios to use the fetchWrapper in src/lib/api.ts. Preserve error handling patterns. Run the type checker after. </code></pre> </div> <p>It read every file, understood the existing patterns, made the changes, ran <code>tsc</code>, found 3 type errors, and fixed them. Total time: <strong>4 minutes.</strong></p> <h3> 2) The "Debug This Flaky Test" Nightmare </h3> <p>A test was passing locally and failing in CI. The usual investigation: environment differences, timing issues, mock state leaking.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; The test in src/features/agents/__tests__/AgentList.test.tsx is failing in CI with "Unable to find role='button'". It passes locally. Investigate and fix. </code></pre> </div> <p>Claude Code read the test, read the component, identified a race condition with an async render, added the correct <code>waitFor</code> wrapper, and ran the test suite to confirm. <strong>Done in 90 seconds.</strong></p> <h3> 3) The "Write the Whole Feature" Sprint </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; Create a new feature module for "cost-management" under src/features/. Follow the same pattern as the agents feature: api layer, components, hooks, and route registration. Include a dashboard page with a summary card grid and a data table. </code></pre> </div> <p>It scaffolded 8 files, wired up the route, created TanStack Query hooks, and built components using our existing design tokens—because it <strong>read our codebase first</strong>. Not a template. Not a snippet. Actual contextual code.</p> <h2> The Architecture: Why "Terminal-Native" Is the Unlock </h2> <p>Most AI coding tools follow this pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>IDE Plugin → Language Server → AI API → Suggestion → Developer copies it </code></pre> </div> <p>Claude Code follows this one:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Developer → Claude Code (terminal) → reads repo → plans → writes files → runs commands → verifies → done </code></pre> </div> <p>The key difference: <strong>the feedback loop is closed</strong>. Claude doesn't suggest and hope. It acts, observes the result, and iterates.</p> <p>This is the difference between:</p> <ul> <li>A GPS that <em>shows you the route</em> (traditional AI)</li> <li>A self-driving car that <em>takes you there</em> (agentic AI)</li> </ul> <h3> Why the Terminal? </h3> <p>The terminal is the most powerful interface a developer has. It's where you:</p> <ul> <li>Run builds and tests</li> <li>Manage git</li> <li>Execute scripts</li> <li>Install dependencies</li> <li>Deploy</li> </ul> <p>By living in the terminal, Claude Code has access to the same tools you do. It doesn't need a special plugin API or language server protocol. It just… uses your tools.</p> <h2> The Permission Model: Trust, but Verify </h2> <p>Here's the part that makes security-conscious engineers twitch: this thing can run commands.</p> <p>Claude Code handles this with a <strong>tiered permission system</strong>:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Action</th> <th>Permission</th> </tr> </thead> <tbody> <tr> <td>Read files</td> <td>✅ Automatic</td> </tr> <tr> <td>Write/edit files</td> <td>⚠️ Asks permission (configurable)</td> </tr> <tr> <td>Run terminal commands</td> <td>⚠️ Asks permission (configurable)</td> </tr> <tr> <td>Run "safe" commands (ls, cat, grep)</td> <td>✅ Automatic</td> </tr> <tr> <td>Run destructive commands</td> <td>🛑 Always asks</td> </tr> </tbody> </table></div> <p>You can configure it to auto-approve certain patterns:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Allow all file writes in src/</span> <span class="c"># Allow test runs without asking</span> <span class="c"># Always ask before git push</span> </code></pre> </div> <p>The mental model: <strong>it's a junior developer with terminal access</strong>. You wouldn't let them <code>git push --force</code> without review, but you'd let them run <code>npm test</code> freely.</p> <h2> Claude Code vs. The Field: An Honest Comparison </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Capability</th> <th>GitHub Copilot</th> <th>ChatGPT/GPT-4</th> <th>Cursor</th> <th>Claude Code</th> </tr> </thead> <tbody> <tr> <td>Line-level autocomplete</td> <td>✅ Excellent</td> <td>❌ N/A</td> <td>✅ Good</td> <td>❌ Not its thing</td> </tr> <tr> <td>Multi-file edits</td> <td>❌ Limited</td> <td>❌ Copy-paste</td> <td>✅ Good</td> <td>✅ Excellent</td> </tr> <tr> <td>Codebase awareness</td> <td>⚠️ Current file</td> <td>❌ None</td> <td>✅ Good</td> <td>✅ Excellent</td> </tr> <tr> <td>Runs commands</td> <td>❌ No</td> <td>❌ No</td> <td>⚠️ Limited</td> <td>✅ Full terminal</td> </tr> <tr> <td>Self-corrects errors</td> <td>❌ No</td> <td>❌ No</td> <td>⚠️ Sometimes</td> <td>✅ Yes (loop)</td> </tr> <tr> <td>Works without IDE</td> <td>❌ No</td> <td>✅ Yes (browser)</td> <td>❌ No</td> <td>✅ Yes (terminal)</td> </tr> <tr> <td>Agentic workflow</td> <td>❌ No</td> <td>❌ No</td> <td>⚠️ Emerging</td> <td>✅ Core design</td> </tr> </tbody> </table></div> <p><strong>The nuance:</strong> Claude Code isn't trying to replace your autocomplete. It's a different tool for a different job. Use Copilot for line-level flow. Use Claude Code when you need an agent that <em>does work</em>.</p> <h2> The Workflow That Actually Works </h2> <p>After months of daily use, here's my optimized flow:</p> <h3> Morning: Strategic Work with Claude Code </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; Review the open PR #142. Summarize the changes and flag any potential issues with our auth middleware. </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; Implement the API integration for the new knowledge-base management feature. Follow existing patterns in src/features/agents/. </code></pre> </div> <h3> Afternoon: Tactical Fixes </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; Fix all TypeScript errors in src/features/tools/. Run the type checker and show me the results. </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; Update the unit tests for UseCaseApi to cover the new delete endpoint. Run them and make sure they pass. </code></pre> </div> <h3> End of Day: Cleanup </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>&gt; Review all changes I've made today. Create a commit with a conventional commit message. </code></pre> </div> <p>The shift: I went from <strong>writing code</strong> to <strong>directing code</strong>. My job became architecture, review, and decision-making. The implementation became a conversation.</p> <h2> Gotchas (The Part Everyone Discovers at 2 AM) </h2> <h3> 1) It's Confident, Not Always Correct </h3> <p>Claude Code will make changes with conviction. Sometimes those changes are subtly wrong. <strong>Always review diffs before committing.</strong> Trust the agent, but verify the output.</p> <h3> 2) Context Window Limits Are Real </h3> <p>On massive monorepos, Claude Code can't hold your entire codebase in memory. Mitigations:</p> <ul> <li>Use a <code>CLAUDE.md</code> file to give it project context and conventions</li> <li>Point it at specific directories rather than the whole repo</li> <li>Break large tasks into focused steps</li> </ul> <h3> 3) It Can Get Into Loops </h3> <p>Occasionally, it'll try to fix an error, introduce a new one, fix that, introduce another. When you see this:</p> <ul> <li>Stop it</li> <li>Give it clearer constraints</li> <li>Break the task down</li> </ul> <h3> 4) Cost Awareness </h3> <p>Claude Code uses API credits. Complex multi-file refactors with test loops can add up. Monitor your usage, especially in the "let it run" agentic mode.</p> <h2> The CLAUDE.md File: Your Project's AI Constitution </h2> <p>The secret weapon most people miss: create a <code>CLAUDE.md</code> at your project root.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># CLAUDE.md</span> <span class="gu">## Project Overview</span> This is a React + FastAPI monorepo for an internal platform. <span class="gu">## Conventions</span> <span class="p">-</span> Use design system tokens, never raw Tailwind colors <span class="p">-</span> Follow feature-based file organization under src/features/ <span class="p">-</span> Use TanStack Query for server state <span class="p">-</span> All API calls go through src/lib/api.ts <span class="gu">## Commands</span> <span class="p">-</span> <span class="sb">`pnpm frontend:dev`</span> - Start frontend <span class="p">-</span> <span class="sb">`pnpm frontend:quality`</span> - Type check + lint <span class="p">-</span> <span class="sb">`pytest`</span> - Run backend tests <span class="gu">## Don'ts</span> <span class="p">-</span> Never modify shared components without discussing <span class="p">-</span> Don't install new dependencies without justification <span class="p">-</span> Don't push directly to main </code></pre> </div> <p>This file acts as persistent memory. Every time Claude Code starts, it reads this file and follows the rules. It's like onboarding documentation—but for your AI pair programmer.</p> <h2> Who Should (and Shouldn't) Use Claude Code </h2> <h3> Use it if: </h3> <ul> <li>You work on codebases with 10+ files that need coordinated changes</li> <li>You're tired of copy-pasting between AI chats and your editor</li> <li>You want to automate repetitive refactors, test writing, or migrations</li> <li>You're comfortable reviewing diffs and understanding the code an AI writes</li> </ul> <h3> Skip it if: </h3> <ul> <li>You mainly need line-level autocomplete (use Copilot)</li> <li>You're learning to code and need to understand every line you write</li> <li>Your org prohibits AI tools from accessing source code</li> <li>You prefer GUI-first workflows and rarely use the terminal</li> </ul> <h2> The Bigger Picture: We're Entering the "Agent" Era of Dev Tools </h2> <p>Claude Code isn't an anomaly. It's the leading edge of a shift:</p> <p><strong>Era 1</strong> — Stack Overflow &amp; Docs (search for answers)<br><br> <strong>Era 2</strong> — AI Chat (ask for answers)<br><br> <strong>Era 3</strong> — AI Autocomplete (get suggestions inline)<br><br> <strong>Era 4</strong> — <strong>Agentic AI (delegate tasks to an autonomous agent)</strong> ← <em>We are here</em></p> <p>The developers who thrive in Era 4 won't be the fastest typists. They'll be the best <strong>directors</strong>—people who can decompose problems, set constraints, review output, and guide an agent toward the right solution.</p> <p>The skill isn't "can you write a React component?" anymore.</p> <p>It's "can you describe what the component should do, review what the agent built, and course-correct in real time?"</p> <h2> Final Take: It's Not About Replacing Developers </h2> <p>Every AI tool gets the same question: "Will this replace me?"</p> <p>No. But it will replace the <em>version of you</em> that spends 60% of the day on mechanical implementation.</p> <p>Claude Code doesn't have taste. It doesn't know your users. It can't decide whether a feature should exist. It can't navigate a product meeting, push back on a bad spec, or mentor a junior developer.</p> <p>But it can turn your architectural decisions into working code faster than any tool I've used. And that's not a threat—it's a superpower.</p> <p><em>What's your biggest frustration with current AI coding tools? Is it context awareness, copy-paste fatigue, or something else? Drop your take below.</em></p> <h2> Resources </h2> <ul> <li><a href="https://docs.anthropic.com/en/docs/claude-code" rel="noopener noreferrer">Claude Code — Official Documentation</a></li> <li><a href="https://www.anthropic.com/claude" rel="noopener noreferrer">Anthropic — Claude Model Family</a></li> <li><a href="https://docs.anthropic.com/en/docs/claude-code/memory" rel="noopener noreferrer">CLAUDE.md — Project Context Files</a></li> <li><a href="https://www.anthropic.com/research" rel="noopener noreferrer">Agentic Coding Explained — Anthropic Blog</a></li> <li><a href="https://www.npmjs.com/package/@anthropic-ai/claude-code" rel="noopener noreferrer">Getting Started: npm install -g @anthropic-ai/claude-code</a></li> </ul> <h2> About the Author </h2> <p><strong>Suraj Khaitan</strong> — Gen AI Architect | Building scalable platforms and secure cloud-native systems</p> <p>Connect on <a href="https://www.linkedin.com/in/suraj-khaitan-501736a2/" rel="noopener noreferrer">LinkedIn</a> | Follow for more engineering and architecture write-ups</p> ai antigravity agents cloud Suraj Khaitan Sat, 28 Feb 2026 07:39:04 +0000 https://dev.to/suraj_khaitan_f893c243958/stop-calling-sts-on-every-request-redis-caching-patterns-that-cut-login-latency-by-10x-1pnh https://dev.to/suraj_khaitan_f893c243958/stop-calling-sts-on-every-request-redis-caching-patterns-that-cut-login-latency-by-10x-1pnh <p><em>How caching sessions and temporary AWS credentials in Redis turned our auth layer from a bottleneck into a near-zero-cost lookup</em></p> <h2> The Moment We Realized Our Auth Was a DDoS on Ourselves </h2> <p>Every authenticated request in our multi-tenant platform did the same dance:</p> <ol> <li>Validate the user's session</li> <li>Check their role mappings (tenant, use case, environment)</li> <li>Call AWS STS to assume the right IAM role</li> <li>Return temporary credentials so downstream services could talk to S3, DynamoDB, Bedrock, etc.</li> </ol> <p>Steps 1–3 hit the network. Every. Single. Time.</p> <p>At modest traffic, it was fine. At scale, we were essentially DDoS-ing our own identity layer—STS throttling kicked in, latency spiked, and users saw login spinners that never stopped spinning.</p> <p>The fix wasn't a new auth framework. It was <strong>Redis</strong>.</p> <h2> TL;DR (If You Skim, Skim This) </h2> <ul> <li> <strong>Problem:</strong> Per-request STS calls + stateless session validation = slow logins + rate limiting at scale.</li> <li> <strong>Move:</strong> Cache session data and STS credentials in Redis with structured keys and smart TTLs.</li> <li> <strong>Result:</strong> Sub-millisecond session lookups, ~90% fewer STS API calls, and a warm credential cache that makes subsequent requests feel instant.</li> <li> <strong>Tradeoff:</strong> You need a cache invalidation strategy and must handle Redis failures gracefully.</li> </ul> <h2> Why This Pattern Is Having a Moment </h2> <p>Three trends are colliding right now:</p> <ol> <li> <strong>Multi-tenant platforms are everywhere.</strong> Each tenant has its own IAM boundary, its own roles, its own credential scope. That's a lot of <code>AssumeRole</code> calls.</li> <li> <strong>STS has hard rate limits.</strong> AWS throttles <code>AssumeRole</code> at ~500 requests/second per account. Hit that in production and you'll learn the meaning of <code>AccessDenied</code> the hard way.</li> <li> <strong>Users expect instant auth.</strong> Nobody waits 2 seconds for a login to "warm up." If the first click feels slow, trust evaporates.</li> </ol> <p>Redis sits at the intersection of all three: it's fast enough to feel like memory, persistent enough to survive pod restarts (in clustered mode), and simple enough that the caching logic doesn't become its own microservice.</p> <h2> The Architecture: Two Caches, One Redis </h2> <p>We use Redis for two distinct but related caching concerns:</p> <h3> 1. Session Cache (Identity Layer) </h3> <p>When a user logs in (via OIDC), we create a <strong>platform session</strong> in Redis:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">session_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">userId</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">jane.doe@example.com</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">roles</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">"</span><span class="s">TenantId</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">acme-corp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">UseCaseId</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">doc-search</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Environment</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">prod</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">RoleName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">USE_CASE_DEVELOPER</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="sh">"</span><span class="s">TenantId</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">acme-corp</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">UseCaseId</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">chatbot</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Environment</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">dev</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">RoleName</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">USE_CASE_OWNER</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="sh">"</span><span class="s">highest_role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">USE_CASE_OWNER</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">platform_roles</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="sh">"</span><span class="s">USE_CASE_OWNER</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">USE_CASE_DEVELOPER</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">sts</span><span class="sh">"</span><span class="p">:</span> <span class="p">{},</span> <span class="c1"># STS credentials are added lazily </span><span class="p">}</span> </code></pre> </div> <p><strong>Key format:</strong> <code>session:&lt;uuid&gt;</code><br> <strong>TTL:</strong> 1 hour (configurable via env)</p> <p>This replaces the classic "hit the database on every request" pattern. Once stored, every downstream service validates auth by reading from Redis—not by calling the IdP or querying a user table.</p> <h3> 2. STS Credential Cache (AWS Access Layer) </h3> <p>When a user accesses a specific tenant/use-case/environment, we call <code>sts:AssumeRole</code> to get short-lived credentials. These get cached <strong>inside the session object</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">session_data</span><span class="p">[</span><span class="sh">"</span><span class="s">sts</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">acme-corp|doc-search|prod|USE_CASE_DEVELOPER</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">AccessKeyId</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ASIA...</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">SecretAccessKey</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">wJal...</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">SessionToken</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">FwoG...</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Expiration</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2026-02-28T19:00:00+00:00</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key format (composite):</strong> <code>TenantId|UseCaseId|Environment|RoleName</code><br> <strong>TTL:</strong> Derived from credential expiry minus a 5-minute safety buffer</p> <p>This means the second time a user touches the same tenant/environment, we skip STS entirely.</p> <h2> The Code: Session Storage </h2> <p>Here's the core of how we store a session after successful OIDC login:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">import</span> <span class="n">redis</span> <span class="kn">from</span> <span class="n">redis.connection</span> <span class="kn">import</span> <span class="n">ConnectionPool</span> <span class="n">DEFAULT_TTL_SECONDS</span> <span class="o">=</span> <span class="mi">3600</span> <span class="c1"># 1 hour </span> <span class="c1"># Singleton connection pool — one per process </span><span class="n">_connection_pool</span><span class="p">:</span> <span class="n">ConnectionPool</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">def</span> <span class="nf">get_redis_pool</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">ConnectionPool</span><span class="p">:</span> <span class="k">global</span> <span class="n">_connection_pool</span> <span class="k">if</span> <span class="n">_connection_pool</span> <span class="ow">is</span> <span class="bp">None</span><span class="p">:</span> <span class="n">_connection_pool</span> <span class="o">=</span> <span class="nc">ConnectionPool</span><span class="p">(</span> <span class="n">host</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">REDIS_HOST</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">localhost</span><span class="sh">"</span><span class="p">),</span> <span class="n">port</span><span class="o">=</span><span class="nf">int</span><span class="p">(</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">REDIS_PORT</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">6379</span><span class="sh">"</span><span class="p">)),</span> <span class="n">db</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">max_connections</span><span class="o">=</span><span class="mi">50</span><span class="p">,</span> <span class="n">decode_responses</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">socket_keepalive</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">socket_connect_timeout</span><span class="o">=</span><span class="mi">5</span><span class="p">,</span> <span class="n">retry_on_timeout</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="n">_connection_pool</span> <span class="k">def</span> <span class="nf">get_redis_client</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="n">redis</span><span class="p">.</span><span class="n">Redis</span><span class="p">:</span> <span class="k">return</span> <span class="n">redis</span><span class="p">.</span><span class="nc">Redis</span><span class="p">(</span><span class="n">connection_pool</span><span class="o">=</span><span class="nf">get_redis_pool</span><span class="p">())</span> <span class="k">def</span> <span class="nf">store_session</span><span class="p">(</span> <span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">roles</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">],</span> <span class="n">highest_role</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">platform_roles</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">ttl_seconds</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="n">DEFAULT_TTL_SECONDS</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">client</span> <span class="o">=</span> <span class="nf">get_redis_client</span><span class="p">()</span> <span class="n">session_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">userId</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">roles</span><span class="sh">"</span><span class="p">:</span> <span class="n">roles</span><span class="p">,</span> <span class="sh">"</span><span class="s">sts</span><span class="sh">"</span><span class="p">:</span> <span class="p">{},</span> <span class="sh">"</span><span class="s">highest_role</span><span class="sh">"</span><span class="p">:</span> <span class="n">highest_role</span><span class="p">,</span> <span class="sh">"</span><span class="s">platform_roles</span><span class="sh">"</span><span class="p">:</span> <span class="n">platform_roles</span> <span class="ow">or</span> <span class="p">[],</span> <span class="p">}</span> <span class="n">client</span><span class="p">.</span><span class="nf">setex</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">session:</span><span class="si">{</span><span class="n">session_id</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">ttl_seconds</span><span class="p">,</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">session_data</span><span class="p">),</span> <span class="p">)</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">except</span> <span class="n">redis</span><span class="p">.</span><span class="n">RedisError</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> </code></pre> </div> <p><strong>Why <code>setex</code> instead of <code>set</code> + <code>expire</code>?</strong> Atomicity. If the process crashes between <code>set</code> and <code>expire</code>, you get a session that never dies. <code>setex</code> is a single atomic operation.</p> <h2> The Code: STS Credential Caching </h2> <p>The real performance win is here—caching the output of <code>sts:AssumeRole</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">boto3</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span> <span class="n">sts_client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">sts</span><span class="sh">"</span><span class="p">)</span> <span class="n">EXPIRATION_BUFFER_SEC</span> <span class="o">=</span> <span class="mi">300</span> <span class="c1"># 5 minutes </span> <span class="k">def</span> <span class="nf">get_sts_credentials</span><span class="p">(</span> <span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">platform_role</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">user_email</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">tenant_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">use_case_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">environment</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">force_refresh</span><span class="p">:</span> <span class="nb">bool</span> <span class="o">=</span> <span class="bp">False</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="c1"># Step 1: Check the cache first </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">force_refresh</span><span class="p">:</span> <span class="n">cached</span> <span class="o">=</span> <span class="nf">get_credentials_from_session</span><span class="p">(</span> <span class="n">session_id</span><span class="p">,</span> <span class="n">tenant_id</span><span class="p">,</span> <span class="n">use_case_id</span><span class="p">,</span> <span class="n">environment</span><span class="p">,</span> <span class="n">platform_role</span><span class="p">,</span> <span class="p">)</span> <span class="k">if</span> <span class="n">cached</span> <span class="ow">and</span> <span class="nf">is_credential_valid</span><span class="p">(</span><span class="n">cached</span><span class="p">):</span> <span class="k">return</span> <span class="n">cached</span> <span class="c1"># 🎯 Cache hit — skip STS entirely </span> <span class="c1"># Step 2: Cache miss — call STS </span> <span class="n">role_arn</span> <span class="o">=</span> <span class="nf">resolve_role_arn</span><span class="p">(</span><span class="n">platform_role</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">sts_client</span><span class="p">.</span><span class="nf">assume_role</span><span class="p">(</span> <span class="n">RoleArn</span><span class="o">=</span><span class="n">role_arn</span><span class="p">,</span> <span class="n">RoleSessionName</span><span class="o">=</span><span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">tenant_id</span><span class="si">}</span><span class="s">-</span><span class="si">{</span><span class="n">use_case_id</span><span class="si">}</span><span class="s">-</span><span class="si">{</span><span class="n">environment</span><span class="si">}</span><span class="sh">"</span><span class="p">[:</span><span class="mi">64</span><span class="p">],</span> <span class="n">DurationSeconds</span><span class="o">=</span><span class="mi">3600</span><span class="p">,</span> <span class="p">)</span> <span class="n">creds</span> <span class="o">=</span> <span class="n">resp</span><span class="p">[</span><span class="sh">"</span><span class="s">Credentials</span><span class="sh">"</span><span class="p">]</span> <span class="n">credential_data</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">AccessKeyId</span><span class="sh">"</span><span class="p">:</span> <span class="n">creds</span><span class="p">[</span><span class="sh">"</span><span class="s">AccessKeyId</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">SecretAccessKey</span><span class="sh">"</span><span class="p">:</span> <span class="n">creds</span><span class="p">[</span><span class="sh">"</span><span class="s">SecretAccessKey</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">SessionToken</span><span class="sh">"</span><span class="p">:</span> <span class="n">creds</span><span class="p">[</span><span class="sh">"</span><span class="s">SessionToken</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">Expiration</span><span class="sh">"</span><span class="p">:</span> <span class="n">creds</span><span class="p">[</span><span class="sh">"</span><span class="s">Expiration</span><span class="sh">"</span><span class="p">].</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="p">}</span> <span class="c1"># Step 3: Cache with smart TTL (expire before AWS does) </span> <span class="n">expiration</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">fromisoformat</span><span class="p">(</span><span class="n">credential_data</span><span class="p">[</span><span class="sh">"</span><span class="s">Expiration</span><span class="sh">"</span><span class="p">])</span> <span class="n">ttl</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span> <span class="p">(</span><span class="n">expiration</span> <span class="o">-</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">expiration</span><span class="p">.</span><span class="n">tzinfo</span><span class="p">)).</span><span class="nf">total_seconds</span><span class="p">()</span> <span class="p">)</span> <span class="o">-</span> <span class="n">EXPIRATION_BUFFER_SEC</span> <span class="k">if</span> <span class="n">ttl</span> <span class="o">&gt;</span> <span class="mi">0</span><span class="p">:</span> <span class="nf">store_credentials_in_session</span><span class="p">(</span> <span class="n">session_id</span><span class="p">,</span> <span class="n">tenant_id</span><span class="p">,</span> <span class="n">use_case_id</span><span class="p">,</span> <span class="n">environment</span><span class="p">,</span> <span class="n">platform_role</span><span class="p">,</span> <span class="n">credential_data</span><span class="p">,</span> <span class="n">ttl</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="n">credential_data</span> </code></pre> </div> <p>The <code>EXPIRATION_BUFFER_SEC = 300</code> is critical. STS credentials expire at a hard boundary. If you serve a credential that's 10 seconds from death, the downstream AWS call will fail with a confusing <code>ExpiredTokenException</code>. The 5-minute buffer ensures we always refresh before the cliff.</p> <h2> Credential Validity Check </h2> <p>A clean helper that prevents serving stale credentials:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">is_credential_valid</span><span class="p">(</span><span class="n">credentials</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">expiration_str</span> <span class="o">=</span> <span class="n">credentials</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Expiration</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">expiration_str</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="n">expiration</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">fromisoformat</span><span class="p">(</span> <span class="n">expiration_str</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">Z</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">+00:00</span><span class="sh">"</span><span class="p">)</span> <span class="p">)</span> <span class="n">now</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">expiration</span><span class="p">.</span><span class="n">tzinfo</span><span class="p">)</span> <span class="n">buffer_seconds</span> <span class="o">=</span> <span class="mi">300</span> <span class="nf">return </span><span class="p">(</span><span class="n">expiration</span> <span class="o">-</span> <span class="n">now</span><span class="p">).</span><span class="nf">total_seconds</span><span class="p">()</span> <span class="o">&gt;</span> <span class="n">buffer_seconds</span> </code></pre> </div> <p>If the credential is within 5 minutes of expiring, we treat it as expired. Simple, defensive, saves you from debugging <code>ExpiredTokenException</code> at 3 AM.</p> <h2> Session Validation: The Hot Path </h2> <p>Every authenticated API request runs through this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">validate_session_and_role</span><span class="p">(</span> <span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">tenant_id</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">use_case_id</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">environment</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="c1"># Single Redis GET — sub-millisecond </span> <span class="n">session_data</span> <span class="o">=</span> <span class="nf">get_session</span><span class="p">(</span><span class="n">session_id</span><span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">session_data</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sh">"</span><span class="s">Session not found or expired</span><span class="sh">"</span><span class="p">)</span> <span class="n">user_email</span> <span class="o">=</span> <span class="n">session_data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">userId</span><span class="sh">"</span><span class="p">)</span> <span class="n">roles</span> <span class="o">=</span> <span class="n">session_data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">roles</span><span class="sh">"</span><span class="p">,</span> <span class="p">[])</span> <span class="n">result</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">valid</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">user_email</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_email</span><span class="p">,</span> <span class="sh">"</span><span class="s">all_roles</span><span class="sh">"</span><span class="p">:</span> <span class="n">roles</span><span class="p">,</span> <span class="sh">"</span><span class="s">highest_role</span><span class="sh">"</span><span class="p">:</span> <span class="nf">derive_highest_role</span><span class="p">(</span><span class="n">roles</span><span class="p">),</span> <span class="p">}</span> <span class="c1"># Optional: validate specific tenant/use-case access </span> <span class="k">if</span> <span class="n">tenant_id</span> <span class="ow">and</span> <span class="n">use_case_id</span> <span class="ow">and</span> <span class="n">environment</span><span class="p">:</span> <span class="n">matching_role</span> <span class="o">=</span> <span class="nf">find_role_for_context</span><span class="p">(</span> <span class="n">roles</span><span class="p">,</span> <span class="n">tenant_id</span><span class="p">,</span> <span class="n">use_case_id</span><span class="p">,</span> <span class="n">environment</span> <span class="p">)</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">matching_role</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">No access to </span><span class="si">{</span><span class="n">tenant_id</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">use_case_id</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">environment</span><span class="si">}</span><span class="sh">"</span> <span class="p">)</span> <span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">matching_role</span> <span class="k">return</span> <span class="n">result</span> </code></pre> </div> <p>This is the difference between "every request takes 200ms to validate" and "every request takes &lt;1ms to validate." The session is already in Redis. The role lookup is a JSON parse + list scan. Done.</p> <h2> The Login Flow: Putting It Together </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser │ │ GET /auth/userinfo ▼ ALB (OIDC authenticate) │ │ verified user → forwarded with OIDC headers ▼ Backend Login Handler │ ├─ 1. Decode &amp; verify OIDC token (claims extraction) ├─ 2. Map IdP groups → platform roles (7-role hierarchy) ├─ 3. Build entitlements (tenant → use_case → env → role) ├─ 4. Store session in Redis (session:&lt;uuid&gt;) ├─ 5. Return session_id + tenants to frontend │ ▼ Frontend stores session_id │ │ Subsequent API calls include X-Session-Id header ▼ Any Backend Service │ ├─ Validate session from Redis (sub-ms) ├─ Check role mapping for requested resource └─ If STS credentials needed: ├─ Check Redis cache first (sub-ms) └─ Call STS only on cache miss (~200ms) </code></pre> </div> <p>The first login is the "expensive" one (~500ms total including STS). Every subsequent request benefits from the cache.</p> <h2> Connection Pooling: Don't Skip This </h2> <p>A surprisingly common mistake: creating a new Redis connection per request.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># ❌ Don't do this </span><span class="k">def</span> <span class="nf">get_session</span><span class="p">(</span><span class="n">session_id</span><span class="p">):</span> <span class="n">client</span> <span class="o">=</span> <span class="n">redis</span><span class="p">.</span><span class="nc">Redis</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">localhost</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">6379</span><span class="p">)</span> <span class="c1"># new connection! </span> <span class="k">return</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">session:</span><span class="si">{</span><span class="n">session_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># ✅ Do this — reuse a connection pool </span><span class="n">_pool</span> <span class="o">=</span> <span class="nc">ConnectionPool</span><span class="p">(</span><span class="n">host</span><span class="o">=</span><span class="sh">"</span><span class="s">localhost</span><span class="sh">"</span><span class="p">,</span> <span class="n">port</span><span class="o">=</span><span class="mi">6379</span><span class="p">,</span> <span class="n">max_connections</span><span class="o">=</span><span class="mi">50</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_session</span><span class="p">(</span><span class="n">session_id</span><span class="p">):</span> <span class="n">client</span> <span class="o">=</span> <span class="n">redis</span><span class="p">.</span><span class="nc">Redis</span><span class="p">(</span><span class="n">connection_pool</span><span class="o">=</span><span class="n">_pool</span><span class="p">)</span> <span class="k">return</span> <span class="n">client</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">session:</span><span class="si">{</span><span class="n">session_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Each TCP connection to Redis costs ~1ms to establish. At 1,000 req/s, that's 1 full second of CPU time per second just on handshakes. Connection pooling makes this a non-issue.</p> <h2> Observability: Know Your Hit Ratio </h2> <p>We track cache operations with Prometheus counters:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">prometheus_client</span> <span class="kn">import</span> <span class="n">Counter</span><span class="p">,</span> <span class="n">Gauge</span> <span class="n">cache_operations_total</span> <span class="o">=</span> <span class="nc">Counter</span><span class="p">(</span> <span class="sh">"</span><span class="s">cache_operations_total</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Total cache operations</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="sh">"</span><span class="s">tenant_id</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">service</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">operation</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="n">cache_hit_ratio</span> <span class="o">=</span> <span class="nc">Gauge</span><span class="p">(</span> <span class="sh">"</span><span class="s">cache_hit_ratio</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Rolling cache hit ratio</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="sh">"</span><span class="s">tenant_id</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">service</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> </code></pre> </div> <p>Labels like <code>operation=get_creds</code> and <code>status=hit|miss|expired|error</code> let you build dashboards that answer:</p> <ul> <li>What's our STS cache hit ratio? (target: &gt;85%)</li> <li>Which tenants have the most cache misses? (may indicate config drift)</li> <li>Are we seeing Redis errors? (time to check cluster health)</li> </ul> <p>If your hit ratio drops below 80%, something is wrong—either TTLs are too short, sessions are thrashing, or your Redis instance is under memory pressure.</p> <h2> TLS + Secrets Manager: Production Hardening </h2> <p>In production, Redis connections should be encrypted and passwords should never live in env vars:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_load_password_from_secrets_manager</span><span class="p">(</span><span class="n">secret_arn</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Load Redis auth token from AWS Secrets Manager.</span><span class="sh">"""</span> <span class="n">sm</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">secretsmanager</span><span class="sh">"</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">sm</span><span class="p">.</span><span class="nf">get_secret_value</span><span class="p">(</span><span class="n">SecretId</span><span class="o">=</span><span class="n">secret_arn</span><span class="p">)</span> <span class="n">secret</span> <span class="o">=</span> <span class="n">resp</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">SecretString</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="c1"># Support both plain strings and JSON secrets </span> <span class="k">if</span> <span class="n">secret</span><span class="p">.</span><span class="nf">strip</span><span class="p">().</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">{</span><span class="sh">"</span><span class="p">):</span> <span class="n">obj</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">secret</span><span class="p">)</span> <span class="k">for</span> <span class="n">key</span> <span class="ow">in</span> <span class="p">(</span><span class="sh">"</span><span class="s">password</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">authToken</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">token</span><span class="sh">"</span><span class="p">):</span> <span class="k">if</span> <span class="n">key</span> <span class="ow">in</span> <span class="n">obj</span><span class="p">:</span> <span class="k">return</span> <span class="n">obj</span><span class="p">[</span><span class="n">key</span><span class="p">]</span> <span class="k">return</span> <span class="n">secret</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> </code></pre> </div> <p>We also cache the fetched secret in-process—no need to call Secrets Manager on every pool initialization. And we configure TLS via the <code>SSLConnection</code> class from the Redis Python client:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">redis.connection</span> <span class="kn">import</span> <span class="n">SSLConnection</span> <span class="n">pool_kwargs</span><span class="p">[</span><span class="sh">"</span><span class="s">connection_class</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">SSLConnection</span> </code></pre> </div> <p>This gives you in-transit encryption for ElastiCache, which is a compliance checkbox you'd rather check early.</p> <h2> Gotchas (A.K.A. What Bit Us So It Doesn't Bite You) </h2> <h3> 1. Stale Credentials After Role Changes </h3> <p>If a user's role changes (e.g., promoted from <code>USE_CASE_DEVELOPER</code> to <code>USE_CASE_OWNER</code>), the cached session still has the old role mappings. Our fix: invalidate the session on role change and force a re-login.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">invalidate_session</span><span class="p">(</span><span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">client</span> <span class="o">=</span> <span class="nf">get_redis_client</span><span class="p">()</span> <span class="k">return</span> <span class="n">client</span><span class="p">.</span><span class="nf">delete</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">session:</span><span class="si">{</span><span class="n">session_id</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span> </code></pre> </div> <h3> 2. Redis Goes Down — What Then? </h3> <p>Redis is fast, but it's not invincible. If the Redis cluster is unreachable:</p> <ul> <li>Session validation should fail-closed (reject the request, don't silently allow it)</li> <li>Log aggressively so ops teams see the outage</li> <li>Never fall back to "allow all" — that's a security vulnerability disguised as fault tolerance</li> </ul> <h3> 3. Session Key Collisions </h3> <p>Using predictable keys (like <code>session:&lt;user_email&gt;</code>) opens the door to session hijacking. Use <code>session:&lt;uuid4&gt;</code> — the session ID should be unguessable.</p> <h3> 4. Memory Pressure in Multi-Tenant Environments </h3> <p>Each session stores role mappings for every tenant/use-case the user can access. A platform admin with access to 50 tenants has a bigger session object than a single-tenant end user. Monitor Redis memory usage and set <code>maxmemory-policy</code> to <code>volatile-lru</code> so expired keys get evicted first.</p> <h3> 5. Binding Token Replay Attacks </h3> <p>If your auth flow uses one-time binding tokens (e.g., for device code flows), mark them as consumed in Redis with a short TTL:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">mark_binding_token_consumed</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">ttl</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">900</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">key</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">binding_token:consumed:</span><span class="si">{</span><span class="n">token</span><span class="p">[</span><span class="si">:</span><span class="mi">16</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="nf">get_redis_client</span><span class="p">().</span><span class="nf">setex</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">ttl</span><span class="p">,</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">def</span> <span class="nf">is_binding_token_consumed</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">key</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">binding_token:consumed:</span><span class="si">{</span><span class="n">token</span><span class="p">[</span><span class="si">:</span><span class="mi">16</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="k">return</span> <span class="nf">bool</span><span class="p">(</span><span class="nf">get_redis_client</span><span class="p">().</span><span class="nf">exists</span><span class="p">(</span><span class="n">key</span><span class="p">))</span> </code></pre> </div> <h2> When You Should <em>Not</em> Use This Pattern </h2> <ul> <li> <strong>Single-user apps</strong> — if you have 10 users, the extra Redis infrastructure isn't worth it. A signed JWT with short expiry is simpler.</li> <li> <strong>Stateless-only architectures</strong> — if your design principle is "no server-side state," Redis sessions are a philosophical violation. (But also: stateless auth at scale has its own costs.)</li> <li> <strong>No AWS roles to assume</strong> — if you're not using STS, the credential caching half of this pattern doesn't apply. The session caching half still might.</li> </ul> <h2> A Practical Implementation Checklist </h2> <ul> <li>[ ] Deploy Redis (ElastiCache Serverless or self-managed cluster with replication)</li> <li>[ ] Enable TLS in-transit (<code>SSLConnection</code>)</li> <li>[ ] Store Redis password in Secrets Manager, not env vars</li> <li>[ ] Use connection pooling (<code>ConnectionPool</code> with <code>max_connections</code>)</li> <li>[ ] Set session TTL to match your security requirements (we use 1 hour)</li> <li>[ ] Add 5-minute expiration buffer on STS credential cache</li> <li>[ ] Implement <code>health_check()</code> — ping Redis on startup and expose <code>/health</code> </li> <li>[ ] Add Prometheus metrics for cache hit/miss/error rates</li> <li>[ ] Set <code>maxmemory-policy</code> to <code>volatile-lru</code> on the Redis instance</li> <li>[ ] Document your invalidation strategy (when do cached sessions get killed?)</li> <li>[ ] Test Redis-down scenarios (your app should fail-closed, not fail-open)</li> <li>[ ] Load SSM parameters at startup, not import time (env vars must be populated first)</li> </ul> <h2> The Numbers </h2> <p>Before Redis caching:</p> <ul> <li>Login: ~800ms (OIDC + STS + DB lookups)</li> <li>Subsequent API auth: ~200ms per request (session re-validation + STS)</li> <li>STS calls: 1 per authenticated request</li> </ul> <p>After Redis caching:</p> <ul> <li>Login: ~500ms (OIDC + STS + Redis write — the STS is cached for next time)</li> <li>Subsequent API auth: <strong>&lt;1ms</strong> (Redis GET + JSON parse)</li> <li>STS calls: 1 per unique tenant/role/env combination per session lifetime</li> </ul> <p>At 10,000 authenticated requests per hour, that's the difference between 10,000 STS calls and ~50. Your AWS bill notices. Your users notice. Your on-call rotation notices.</p> <h2> Closing: The Fastest Auth Call Is the One You Don't Make </h2> <p>Redis isn't just a cache layer for your database queries. It's the foundation of a fast, secure auth perimeter.</p> <p>The session cache eliminates per-request identity lookups. The STS credential cache eliminates per-request IAM calls. Together, they turn your auth layer from a distributed systems problem into a local memory read.</p> <p>And when security is fast, developers stop looking for shortcuts around it.</p> <p><em>What's your strategy for caching short-lived AWS credentials? Do you cache at the application layer, use credential providers, or something else entirely? Drop a comment — I'm curious what patterns are working for others.</em></p> <h2> Resources </h2> <ul> <li>AWS Docs: <a href="https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html" rel="noopener noreferrer">STS AssumeRole</a> — rate limits and best practices</li> <li>Redis: <a href="https://redis.readthedocs.io/en/stable/connections.html#connection-pools" rel="noopener noreferrer">Connection Pooling</a> in the Python client</li> <li>AWS ElastiCache: <a href="https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/in-transit-encryption.html" rel="noopener noreferrer">In-transit encryption</a> </li> <li>Prometheus: <a href="https://prometheus.github.io/client_python/" rel="noopener noreferrer">Client instrumentation for Python</a> </li> </ul> <h2> About the Author </h2> <p><strong>Suraj Khaitan</strong> — Gen AI Architect | Building scalable platforms and secure cloud-native systems</p> <p>Connect on <a href="https://www.linkedin.com/in/suraj-khaitan-501736a2/" rel="noopener noreferrer">LinkedIn</a> | Follow for more engineering and architecture write-ups</p> aws python redis ai Suraj Khaitan Sun, 08 Feb 2026 07:01:00 +0000 https://dev.to/suraj_khaitan_f893c243958/we-deleted-our-login-code-alb-oidc-for-serverless-frontends-aok https://dev.to/suraj_khaitan_f893c243958/we-deleted-our-login-code-alb-oidc-for-serverless-frontends-aok <p><em>How moving auth to the load balancer with ALB’s <code>authenticate_oidc</code> made our UI simpler, our defaults safer, and our incidents rarer</em></p> <h2> The Day “Just Store the Token” Stopped Being Funny </h2> <p>At some point, every frontend team gets the same suggestion:</p> <blockquote> <p>“Just do OAuth in the browser, store the token, and attach it on API calls.”</p> </blockquote> <p>It works—until it doesn’t.</p> <p>Because the moment your UI becomes responsible for <strong>token storage, refresh logic, callback routes, and logout semantics</strong>, your “frontend” quietly turns into an auth product.</p> <p>We fixed this by doing something that feels almost illegal:</p> <blockquote> <p>We let the load balancer handle the login.</p> </blockquote> <p>Specifically: <strong>AWS Application Load Balancer (ALB) + <code>authenticate_oidc</code> + a serverless frontend target (Lambda)</strong>.</p> <h2> TL;DR (If You Only Read One Section) </h2> <ul> <li> <strong>Problem:</strong> App-level OIDC spreads secrets + token handling across every UI route and runtime.</li> <li> <strong>Move:</strong> Put OIDC at the edge using ALB <code>authenticate_oidc</code>.</li> <li> <strong>Result:</strong> Less auth code in the app, fewer token footguns, and a “secure-by-default” perimeter.</li> <li> <strong>Tradeoff:</strong> Local dev + logout semantics require intentional design.</li> </ul> <h2> Why This Pattern Is Trending Right Now </h2> <p>Across dev communities lately, the popular themes are consistent:</p> <ul> <li>“Stop overbuilding auth in every app.”</li> <li>“Move concerns up the stack.”</li> <li>“Make security the default, not a checklist item.”</li> </ul> <p>Edge-auth patterns (ALB OIDC, gateway authorizers, access proxies) are having a moment because they reduce the number of places a team can accidentally get auth wrong.</p> <h2> The Real Problem: Token Chaos Isn’t One Bug—It’s a Lifestyle </h2> <p>If you do OIDC inside the frontend, you almost inevitably accumulate:</p> <ul> <li>A callback route you must never break</li> <li>Token storage debates (<code>localStorage</code> vs memory vs cookies)</li> <li>Refresh token logic (and the day it fails in production)</li> <li>“Why did it log me out?” issues</li> <li>Security reviews that keep expanding scope</li> </ul> <p>And the nastiest part is: it’s not <em>one</em> critical bug—it’s <strong>a hundred tiny sharp edges</strong>.</p> <h2> The Pivot: Authentication at the ALB </h2> <p>When you use <code>authenticate_oidc</code>, the ALB becomes the bouncer:</p> <ul> <li>Unauthenticated requests get redirected to your Identity Provider (IdP)</li> <li>The ALB completes the OIDC flow</li> <li>The ALB maintains an authenticated session (cookie-based)</li> <li>Only authenticated requests reach your target</li> </ul> <p>Your serverless frontend (often a Lambda router / SSR / fallback handler) simply… serves pages.</p> <p>The vibe shifts from:</p> <blockquote> <p>“Did we implement OAuth correctly?”</p> </blockquote> <p>to:</p> <blockquote> <p>“If I got a 200, I’m logged in.”</p> </blockquote> <h2> The Request Flow in 30 Seconds </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Browser | | GET /anything v ALB (authenticate_oidc) | | not logged in? | 302 -&gt; IdP v IdP (login) | | 302 -&gt; ALB callback v ALB (sets session cookies) | | forward v Lambda target (serverless frontend router) </code></pre> </div> <p>Notice what’s missing:</p> <ul> <li>No client-side token parsing</li> <li>No callback handler in your React app</li> <li>No refresh logic scattered across fetch calls</li> </ul> <h2> A Minimal, Anonymized CDK Snippet </h2> <p>This is intentionally “shape only” (no real URLs, no org names). The essence is:</p> <p>1) forward to a Lambda target group<br> 2) wrap it with <code>authenticate_oidc</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_elasticloadbalancingv2</span> <span class="k">as</span> <span class="n">elbv2</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">aws_elasticloadbalancingv2_targets</span> <span class="k">as</span> <span class="n">targets</span> <span class="kn">from</span> <span class="n">aws_cdk</span> <span class="kn">import</span> <span class="n">SecretValue</span> <span class="n">frontend_tg</span> <span class="o">=</span> <span class="n">elbv2</span><span class="p">.</span><span class="nc">ApplicationTargetGroup</span><span class="p">(</span> <span class="n">scope</span><span class="p">,</span> <span class="sh">"</span><span class="s">FrontendTg</span><span class="sh">"</span><span class="p">,</span> <span class="n">target_type</span><span class="o">=</span><span class="n">elbv2</span><span class="p">.</span><span class="n">TargetType</span><span class="p">.</span><span class="n">LAMBDA</span><span class="p">,</span> <span class="n">targets</span><span class="o">=</span><span class="p">[</span><span class="n">targets</span><span class="p">.</span><span class="nc">LambdaTarget</span><span class="p">(</span><span class="n">frontend_router_lambda</span><span class="p">)],</span> <span class="p">)</span> <span class="n">listener</span><span class="p">.</span><span class="nf">add_action</span><span class="p">(</span> <span class="sh">"</span><span class="s">FrontendWithOidc</span><span class="sh">"</span><span class="p">,</span> <span class="n">priority</span><span class="o">=</span><span class="mi">100</span><span class="p">,</span> <span class="n">conditions</span><span class="o">=</span><span class="p">[</span><span class="n">elbv2</span><span class="p">.</span><span class="n">ListenerCondition</span><span class="p">.</span><span class="nf">path_patterns</span><span class="p">([</span><span class="sh">"</span><span class="s">/*</span><span class="sh">"</span><span class="p">])],</span> <span class="n">action</span><span class="o">=</span><span class="n">elbv2</span><span class="p">.</span><span class="n">ListenerAction</span><span class="p">.</span><span class="nf">authenticate_oidc</span><span class="p">(</span> <span class="n">issuer</span><span class="o">=</span><span class="sh">"</span><span class="s">https://idp.example/</span><span class="sh">"</span><span class="p">,</span> <span class="n">authorization_endpoint</span><span class="o">=</span><span class="sh">"</span><span class="s">https://idp.example/oauth2/authorize</span><span class="sh">"</span><span class="p">,</span> <span class="n">token_endpoint</span><span class="o">=</span><span class="sh">"</span><span class="s">https://idp.example/oauth2/token</span><span class="sh">"</span><span class="p">,</span> <span class="n">user_info_endpoint</span><span class="o">=</span><span class="sh">"</span><span class="s">https://idp.example/oauth2/userinfo</span><span class="sh">"</span><span class="p">,</span> <span class="n">client_id</span><span class="o">=</span><span class="sh">"</span><span class="s">&lt;client-id&gt;</span><span class="sh">"</span><span class="p">,</span> <span class="n">client_secret</span><span class="o">=</span><span class="n">SecretValue</span><span class="p">.</span><span class="nf">secrets_manager</span><span class="p">(</span><span class="sh">"</span><span class="s">/path/to/oidc-secret</span><span class="sh">"</span><span class="p">),</span> <span class="nb">next</span><span class="o">=</span><span class="n">elbv2</span><span class="p">.</span><span class="n">ListenerAction</span><span class="p">.</span><span class="nf">forward</span><span class="p">([</span><span class="n">frontend_tg</span><span class="p">]),</span> <span class="p">),</span> <span class="p">)</span> </code></pre> </div> <p>Quick rules that save pain:</p> <ul> <li>Keep the OIDC secret in a secret manager, not env vars.</li> <li>Make sure listener priorities don’t collide.</li> <li>Default to protecting <code>/*</code> unless you truly want public routes.</li> </ul> <h2> How This Changed Our Security Posture (In Plain English) </h2> <h3> 1) “Secure by default” stops being a slogan </h3> <p>With ALB OIDC, every path behind the listener rule becomes authenticated by default. You’re no longer relying on every route guard, every component, and every refactor to “remember auth.”</p> <h3> 2) Less token exposure in the browser </h3> <p>The browser is a hostile environment. Reducing token handling in the UI reduces your exposure to:</p> <ul> <li>XSS turning into token theft</li> <li>accidental logging of sensitive values</li> <li>copy-paste auth bugs across micro-frontends</li> </ul> <h3> 3) Fewer app secrets </h3> <p>If your frontend app doesn’t need to “be an OAuth client,” it also needs fewer secrets and fewer complicated deployment rules.</p> <h2> The Subtle but Important Split: Auth vs Authorization </h2> <p>ALB OIDC is excellent at <strong>authentication</strong> (“who are you?”).</p> <p>But you still need strong <strong>authorization</strong> (“what can you do?”):</p> <ul> <li>RBAC: role-based permissions</li> <li>ABAC: tenant/env/resource scoping</li> </ul> <p>The clean division:</p> <ul> <li> <strong>ALB:</strong> verify the user is logged in</li> <li> <strong>Backend:</strong> enforce permissions and data scope</li> </ul> <p>If you try to do all authorization at the load balancer, you’ll end up with something brittle and hard to evolve.</p> <h2> Gotchas (A.K.A. The Part Everyone Learns in Production) </h2> <h3> 1) Callback path behavior </h3> <p>ALB uses a callback endpoint (often something like <code>/oauth2/idpresponse</code>). Make sure your routing rules don’t accidentally break it.</p> <h3> 2) Claims can get huge </h3> <p>Too many groups/roles/claims can hit header/cookie limits. Mitigations:</p> <ul> <li>keep tokens/claims lean</li> <li>fetch richer profile data server-side</li> <li>store heavy identity in your own session store</li> </ul> <h3> 3) Logout is three separate things </h3> <p>There’s:</p> <ul> <li>app logout</li> <li>ALB session cookie</li> <li>IdP session</li> </ul> <p>Define what “Logout” means for your UX and compliance requirements.</p> <h3> 4) Local dev can feel weird </h3> <p>Production has ALB OIDC; your laptop doesn’t.</p> <p>Good local-dev patterns:</p> <ul> <li>inject mocked identity headers in dev</li> <li>run a lightweight local gateway that simulates “auth at the edge”</li> <li>keep backend authorization testable without a real IdP</li> </ul> <h2> A Practical Rollout Checklist </h2> <ul> <li>Verify OIDC endpoints: issuer + authorize + token + userinfo</li> <li>Store the client secret in a secret manager</li> <li>Confirm listener rule priority ordering</li> <li>Ensure callback path is reachable through routing rules</li> <li>Enforce HTTPS everywhere</li> <li>Enable ALB access logs</li> <li>Document logout behavior (what it clears)</li> <li>Write down the local-dev story (seriously)</li> </ul> <h2> When You Should <em>Not</em> Use ALB OIDC </h2> <p>Avoid / reconsider if:</p> <ul> <li>you need complex per-request authorization decisions before forwarding</li> <li>you don’t have an ALB in the request path (pure CDN with no origin auth)</li> <li>your org mandates a different gateway or zero-trust access layer</li> </ul> <h2> Closing: Make the Safe Path the Easy Path </h2> <p>The benefit of this pattern isn’t novelty.</p> <p>It’s that you can remove an entire category of mistakes:</p> <ul> <li>less auth code in the UI</li> <li>fewer ways to leak tokens</li> <li>consistent enforcement across routes</li> </ul> <p>And when security is the default, teams move faster—because fewer changes require “special auth handling.”</p> <p><em>If you’ve done edge auth (ALB OIDC, gateway authorizers, access proxies), what hurt most for you: local dev, logout, or claim size?</em></p> <h2> Resources </h2> <ul> <li>AWS Docs: Application Load Balancer authentication actions (OIDC)</li> <li>AWS CDK: <code>ListenerAction.authenticate_oidc</code> </li> <li>OAuth 2.0 / OIDC basics (for understanding redirects, authorization code flow)</li> </ul> <h2> About the Author </h2> <p><strong>Suraj Khaitan</strong> — Gen AI Architect | Building scalable platforms and secure cloud-native systems</p> <p>Connect on <a href="https://www.linkedin.com/in/suraj-khaitan-501736a2/" rel="noopener noreferrer">LinkedIn</a> | Follow for more engineering and architecture write-ups</p> ai aws oauth agents Suraj Khaitan Sun, 25 Jan 2026 06:20:17 +0000 https://dev.to/suraj_khaitan_f893c243958/-rag-in-2026-a-practical-blueprint-for-retrieval-augmented-generation-16pp https://dev.to/suraj_khaitan_f893c243958/-rag-in-2026-a-practical-blueprint-for-retrieval-augmented-generation-16pp <p><em>How to make LLMs feel “grounded” in your data—without turning your app into a prompt-factory.</em></p> <p>Large Language Models are incredible at <em>language</em>, but they still have two awkward traits in production:</p> <ol> <li> <strong>They don’t know your private data by default</strong> (docs, tickets, code, policies).</li> <li><strong>They can sound confident even when they’re guessing.</strong></li> </ol> <p>Retrieval-Augmented Generation (RAG) is the most reliable pattern I’ve used to fix both—by giving the model <em>just-in-time</em> access to relevant context at the moment it answers.</p> <p>This post is a practical, medium-depth tour of RAG: the core architecture, the failure modes, and the “advanced knobs” that actually move quality (reranking, routing, query strategies, and better indexing). I’ll also point you to a great open-source reference implementation that I’ve been using as a sanity check.</p> <h2> 🔎 The Core Idea: Don’t Train, Retrieve </h2> <p>Think of RAG as two systems working together:</p> <ul> <li> <strong>Retriever:</strong> finds the best supporting context for a question.</li> <li> <strong>Generator (LLM):</strong> writes the final answer using the retrieved context.</li> </ul> <p>Instead of trying to cram your entire knowledge base into model weights, you keep your knowledge in stores that are good at search (vector DBs, relational DBs, graph DBs), retrieve the best bits, and then let the LLM do what it does best: compose a response.</p> <p>A good mental model:</p> <blockquote> <p><strong>RAG = Search + Reasoning</strong></p> </blockquote> <p>Search brings <em>facts</em>. Reasoning provides <em>coherence</em>.</p> <h2> 🏗️ A Clean RAG Architecture (What Actually Matters) </h2> <p>Most RAG diagrams look complex because they include every optional component. Here’s a simple backbone that scales:</p> <ol> <li> <strong>Ingest</strong> documents (PDFs, web pages, internal wikis, tickets)</li> <li> <strong>Chunk</strong> them into retrievable units</li> <li> <strong>Embed</strong> chunks into vectors</li> <li> <strong>Index</strong> vectors in a vector store</li> <li> <strong>Retrieve</strong> top-$k$ chunks for a question</li> <li> <strong>Generate</strong> an answer with citations / grounded context</li> </ol> <p>In code, the minimal version feels like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>question -&gt; embed(question) -&gt; similarity_search -&gt; context -&gt; LLM(prompt + context) </code></pre> </div> <p>If you only build that, you’ll get something working quickly—but you’ll also quickly hit the real-world issues:</p> <ul> <li>Retrieval returns “nearby” chunks that don’t actually answer the question</li> <li>The best chunk is buried at rank 17</li> <li>A single query phrasing misses the right terminology</li> <li>Some questions should query SQL or a graph, not embeddings</li> </ul> <p>That’s where the next layers matter.</p> <h2> 📦 Retrieval Isn’t Only Vectors: Pick the Right Store </h2> <p>A mature RAG system doesn’t have to be “vector-only”. Depending on the question, retrieval can come from:</p> <ul> <li> <strong>Vector stores:</strong> semantic search over unstructured text (docs, emails, transcripts)</li> <li> <strong>Relational DBs:</strong> exact structured facts (orders, users, pricing, logs)</li> <li> <strong>Graph DBs:</strong> relationships and traversals (org charts, dependency graphs, knowledge graphs)</li> </ul> <p>In practice, you often end up with a hybrid:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Data type</th> <th>Best retrieval style</th> <th>Example question</th> </tr> </thead> <tbody> <tr> <td>Policies / long docs</td> <td>Vector search</td> <td>“What’s our parental leave policy?”</td> </tr> <tr> <td>Metrics / records</td> <td>SQL</td> <td>“What was churn last quarter in EMEA?”</td> </tr> <tr> <td>Relationships</td> <td>Cypher / graph queries</td> <td>“Who owns service X and what depends on it?”</td> </tr> </tbody> </table></div> <p>This is why modern RAG stacks include things like <strong>Text-to-SQL</strong>, <strong>Text-to-Cypher</strong>, and <strong>self-query retrievers</strong> (where the model generates a structured search query and metadata filters).</p> <h2> 🧭 Routing: The “Secret Sauce” for Multi-Source RAG </h2> <p>If you only have one data source, retrieval is straightforward. But the moment you add a relational database, a vector store, and maybe a graph—your first big design decision becomes:</p> <blockquote> <p><strong>How do I route a user’s question to the right retriever?</strong></p> </blockquote> <p>Two patterns show up repeatedly:</p> <h3> 1) Logical routing </h3> <p>Simple rules or a lightweight classifier.</p> <ul> <li>“If the question mentions revenue, query SQL.”</li> <li>“If the question mentions ‘policy’, use the handbook index.”</li> </ul> <h3> 2) Semantic routing </h3> <p>Use embeddings (or a small LLM prompt) to decide which tool to call.</p> <p>This reduces “tool spam” and usually improves relevance because you retrieve from the <em>right</em> store first.</p> <h2> 🧠 Query Strategies That Increase Recall (Without Overfetching) </h2> <p>Most weak RAG answers are not generation problems—they’re retrieval problems.</p> <p>A single user question is often ambiguous. Strong pipelines expand the query space <em>before</em> retrieving.</p> <p>Here are query strategies I’ve seen consistently help:</p> <h3> Multi-query </h3> <p>Generate multiple paraphrases of the question and retrieve for each.</p> <p>Why it works: different phrasing hits different vocabulary.</p> <h3> Step-back questions </h3> <p>Ask a higher-level sub-question first (“What concept is this about?”), then use that to retrieve.</p> <p>Why it works: reduces lexical mismatch and anchors retrieval.</p> <h3> HyDE (Hypothetical Document Embeddings) </h3> <p>Generate a <em>hypothetical</em> answer document, embed that, and retrieve based on it.</p> <p>Why it works: the hypothetical answer contains domain language the user may not use.</p> <h3> RAG-Fusion </h3> <p>Retrieve multiple lists (from multi-query, HyDE, etc.) and then <strong>fuse</strong> rankings (often using Reciprocal Rank Fusion).</p> <p>Why it works: you get strong recall without blindly increasing $k$.</p> <h2> 🥇 Reranking: Fix “The Answer Was in the Context, But…” </h2> <p>If you’ve built a basic RAG system, you’ve likely seen this failure mode:</p> <ul> <li>The right chunk is retrieved</li> <li>But it’s ranked too low</li> <li>The LLM focuses on the wrong chunk</li> </ul> <p>Reranking is the clean fix.</p> <p>A common pipeline looks like:</p> <ol> <li>Retrieve top 20–50 chunks cheaply (vector similarity)</li> <li>Rerank top candidates with a stronger model (cross-encoder, LLM-based ranker, or a reranker API)</li> <li>Feed the top 3–8 chunks to the generator</li> </ol> <p>You’ll see reranking approaches referenced as:</p> <ul> <li><strong>Cross-encoder rerankers</strong></li> <li> <strong>LLM ranking</strong> (sometimes called RankGPT-style ranking)</li> <li> <strong>RRF</strong> (Reciprocal Rank Fusion) when merging multiple retrieval lists</li> </ul> <p>This is one of the highest ROI upgrades in RAG.</p> <h2> 🧹 Filter &amp; Compress: The Missing Piece for Long Context </h2> <p>Even if retrieval is good, the final prompt can still be noisy:</p> <ul> <li>repeated information</li> <li>irrelevant paragraphs</li> <li>chunks that overlap heavily</li> </ul> <p>That’s where <strong>contextual compression</strong> comes in: after retrieval, you summarize, extract, or filter down to only what matters.</p> <p>This is especially important as your data grows and you start using larger $k$ values.</p> <h2> 🗂️ Indexing: Where Most Teams Underinvest </h2> <p>Indexing decisions quietly determine your ceiling.</p> <p>Here are indexing techniques worth knowing (and testing):</p> <h3> Chunk optimization </h3> <p>Chunk size is not a constant. Different document types want different chunking.</p> <ul> <li>Too small → context fragments</li> <li>Too large → retrieval becomes “blurry”</li> </ul> <h3> Semantic splitting </h3> <p>Split on meaning (headings, sections), not arbitrary character counts.</p> <h3> Parent-document retrieval </h3> <p>Store embeddings for child chunks but return a larger “parent” span when answering.</p> <h3> Multi-representation indexing </h3> <p>Index both:</p> <ul> <li>fine-grained chunks for precision</li> <li>summaries for recall</li> </ul> <h3> Specialized embeddings / fine-tuning </h3> <p>If your domain has unique language (legal, medicine, internal code), embeddings matter.</p> <h3> Hierarchical indexing (RAPTOR-like) </h3> <p>Build a tree of summaries from leaves → root so retrieval can happen at multiple abstraction levels.</p> <h3> Token-level retrieval (ColBERT-style) </h3> <p>A stronger retrieval approach when semantics are subtle and bag-of-vector similarity struggles.</p> <p>You don’t need all of these. But the point is: <strong>RAG quality is frequently an indexing problem disguised as an LLM problem.</strong></p> <h2> 🔁 Active Retrieval (and Why It’s the Future) </h2> <p>Some questions require the system to <em>work</em>:</p> <ul> <li>ask clarifying questions</li> <li>reformulate queries mid-flight</li> <li>retry retrieval when evidence is weak</li> </ul> <p>You’ll sometimes see this category described as <strong>active retrieval</strong> (including approaches like CRAG / self-correcting retrieval patterns).</p> <p>The takeaway: the best RAG systems aren’t one-shot. They behave more like a careful researcher.</p> <h2> 🧪 A Hands-On Reference: bRAG-langchain </h2> <p>If you want something concrete to learn from (and compare against your own implementation), I recommend checking out the open-source project here:</p> <ul> <li><a href="https://github.com/bRAGAI/bRAG-langchain/" rel="noopener noreferrer">https://github.com/bRAGAI/bRAG-langchain/</a></li> </ul> <p>What I like about it:</p> <ul> <li>It walks from baseline RAG → multi-query → routing → advanced indexing → reranking</li> <li>It’s notebook-driven, so you can test ideas quickly</li> <li>It keeps the focus on practical patterns (not just theory)</li> </ul> <p>A suggested learning path mirrors the notebook sequence:</p> <ol> <li>Baseline RAG setup</li> <li>Multi-query improvements</li> <li>Routing + query construction</li> <li>Advanced indexing</li> <li>Retrieval + reranking + fusion</li> </ol> <p>Use it like a “cookbook”: borrow the <em>ideas</em>, not the exact words.</p> <h2> 👨‍💻 Code Walkthrough (Inspired by bRAG-langchain) </h2> <p>Below are two <em>rewritten</em> snippets inspired by the project’s notebooks (especially <code>full_basic_rag.ipynb</code>). The goal is to show the shape of a clean RAG pipeline—without dumping an entire notebook into a blog post.</p> <blockquote> <p>Attribution: the reference implementation that inspired these patterns is <strong>bRAG AI</strong>: <a href="https://github.com/bRAGAI/bRAG-langchain/" rel="noopener noreferrer">https://github.com/bRAGAI/bRAG-langchain/</a></p> </blockquote> <h3> 1) A minimal LangChain RAG chain (loader → chunks → vectors → retriever → chain) </h3> <p>This is the “boring baseline” that should work before you touch reranking, routing, or fancy indexing.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">from</span> <span class="n">dotenv</span> <span class="kn">import</span> <span class="n">load_dotenv</span> <span class="kn">from</span> <span class="n">langchain_community.document_loaders</span> <span class="kn">import</span> <span class="n">PyPDFLoader</span> <span class="kn">from</span> <span class="n">langchain.text_splitter</span> <span class="kn">import</span> <span class="n">RecursiveCharacterTextSplitter</span> <span class="kn">from</span> <span class="n">langchain_openai</span> <span class="kn">import</span> <span class="n">ChatOpenAI</span><span class="p">,</span> <span class="n">OpenAIEmbeddings</span> <span class="kn">from</span> <span class="n">langchain_pinecone</span> <span class="kn">import</span> <span class="n">PineconeVectorStore</span> <span class="kn">from</span> <span class="n">langchain.prompts</span> <span class="kn">import</span> <span class="n">ChatPromptTemplate</span> <span class="kn">from</span> <span class="n">langchain_core.output_parsers</span> <span class="kn">import</span> <span class="n">StrOutputParser</span> <span class="kn">from</span> <span class="n">langchain_core.runnables</span> <span class="kn">import</span> <span class="n">RunnablePassthrough</span> <span class="nf">load_dotenv</span><span class="p">()</span> <span class="c1"># expects OPENAI_API_KEY, PINECONE_INDEX_NAME, etc. </span> <span class="k">def</span> <span class="nf">join_docs</span><span class="p">(</span><span class="n">docs</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="se">\n\n</span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">d</span><span class="p">.</span><span class="n">page_content</span> <span class="k">for</span> <span class="n">d</span> <span class="ow">in</span> <span class="n">docs</span><span class="p">)</span> <span class="c1"># 1) Load </span><span class="n">docs</span> <span class="o">=</span> <span class="nc">PyPDFLoader</span><span class="p">(</span><span class="sh">"</span><span class="s">path/to/your.pdf</span><span class="sh">"</span><span class="p">).</span><span class="nf">load</span><span class="p">()</span> <span class="c1"># 2) Chunk </span><span class="n">splitter</span> <span class="o">=</span> <span class="nc">RecursiveCharacterTextSplitter</span><span class="p">(</span><span class="n">chunk_size</span><span class="o">=</span><span class="mi">900</span><span class="p">,</span> <span class="n">chunk_overlap</span><span class="o">=</span><span class="mi">150</span><span class="p">)</span> <span class="n">chunks</span> <span class="o">=</span> <span class="n">splitter</span><span class="p">.</span><span class="nf">split_documents</span><span class="p">(</span><span class="n">docs</span><span class="p">)</span> <span class="c1"># 3) Embed + index </span><span class="n">vectorstore</span> <span class="o">=</span> <span class="n">PineconeVectorStore</span><span class="p">.</span><span class="nf">from_documents</span><span class="p">(</span> <span class="n">documents</span><span class="o">=</span><span class="n">chunks</span><span class="p">,</span> <span class="n">embedding</span><span class="o">=</span><span class="nc">OpenAIEmbeddings</span><span class="p">(</span><span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">text-embedding-3-large</span><span class="sh">"</span><span class="p">),</span> <span class="n">index_name</span><span class="o">=</span><span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">PINECONE_INDEX_NAME</span><span class="sh">"</span><span class="p">],</span> <span class="p">)</span> <span class="c1"># 4) Retrieve </span><span class="n">retriever</span> <span class="o">=</span> <span class="n">vectorstore</span><span class="p">.</span><span class="nf">as_retriever</span><span class="p">(</span><span class="n">search_kwargs</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">k</span><span class="sh">"</span><span class="p">:</span> <span class="mi">4</span><span class="p">})</span> <span class="c1"># 5) Generate </span><span class="n">prompt</span> <span class="o">=</span> <span class="n">ChatPromptTemplate</span><span class="p">.</span><span class="nf">from_template</span><span class="p">(</span> <span class="sh">"""</span><span class="s">You are a grounded assistant. Use ONLY the context to answer. Context: {context} Question: {question} If the answer is not in the context, say you don</span><span class="sh">'</span><span class="s">t know. </span><span class="sh">"""</span> <span class="p">)</span> <span class="n">llm</span> <span class="o">=</span> <span class="nc">ChatOpenAI</span><span class="p">(</span><span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">gpt-4o-mini</span><span class="sh">"</span><span class="p">,</span> <span class="n">temperature</span><span class="o">=</span><span class="mf">0.1</span><span class="p">)</span> <span class="n">rag_chain</span> <span class="o">=</span> <span class="p">(</span> <span class="p">{</span><span class="sh">"</span><span class="s">context</span><span class="sh">"</span><span class="p">:</span> <span class="n">retriever</span> <span class="o">|</span> <span class="n">join_docs</span><span class="p">,</span> <span class="sh">"</span><span class="s">question</span><span class="sh">"</span><span class="p">:</span> <span class="nc">RunnablePassthrough</span><span class="p">()}</span> <span class="o">|</span> <span class="n">prompt</span> <span class="o">|</span> <span class="n">llm</span> <span class="o">|</span> <span class="nc">StrOutputParser</span><span class="p">()</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">rag_chain</span><span class="p">.</span><span class="nf">invoke</span><span class="p">(</span><span class="sh">"</span><span class="s">What is this document about?</span><span class="sh">"</span><span class="p">))</span> </code></pre> </div> <p>Why this pattern is nice: retrieval is a pure function of the question, and prompt+LLM are pure functions of <code>{context, question}</code>. That separation makes it easy to add routing, reranking, eval, caching, etc.</p> <h3> 2) Multi-query + fusion (high recall without blindly increasing k) </h3> <p>The repo’s later notebooks explore multi-query / fusion and reranking. The key mental model is:</p> <ul> <li>generate multiple query variants</li> <li>retrieve for each</li> <li> <em>fuse</em> the ranked lists (so strong hits bubble up)</li> <li>optionally rerank the merged set</li> </ul> <p>Here’s a compact sketch using <strong>Reciprocal Rank Fusion (RRF)</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">defaultdict</span> <span class="k">def</span> <span class="nf">rrf_fuse</span><span class="p">(</span><span class="n">ranked_lists</span><span class="p">,</span> <span class="o">*</span><span class="p">,</span> <span class="n">k</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">60</span><span class="p">,</span> <span class="n">top_n</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">10</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Fuse multiple ranked lists using Reciprocal Rank Fusion. ranked_lists: list[list[Document]] </span><span class="sh">"""</span> <span class="n">scores</span> <span class="o">=</span> <span class="nf">defaultdict</span><span class="p">(</span><span class="nb">float</span><span class="p">)</span> <span class="n">by_id</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">docs</span> <span class="ow">in</span> <span class="n">ranked_lists</span><span class="p">:</span> <span class="k">for</span> <span class="n">rank</span><span class="p">,</span> <span class="n">doc</span> <span class="ow">in</span> <span class="nf">enumerate</span><span class="p">(</span><span class="n">docs</span><span class="p">):</span> <span class="c1"># Prefer a stable ID if you have one; fallback to content hash </span> <span class="n">doc_id</span> <span class="o">=</span> <span class="n">doc</span><span class="p">.</span><span class="n">metadata</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="nf">hash</span><span class="p">(</span><span class="n">doc</span><span class="p">.</span><span class="n">page_content</span><span class="p">)</span> <span class="n">by_id</span><span class="p">[</span><span class="n">doc_id</span><span class="p">]</span> <span class="o">=</span> <span class="n">doc</span> <span class="n">scores</span><span class="p">[</span><span class="n">doc_id</span><span class="p">]</span> <span class="o">+=</span> <span class="mf">1.0</span> <span class="o">/</span> <span class="p">(</span><span class="n">k</span> <span class="o">+</span> <span class="n">rank</span> <span class="o">+</span> <span class="mi">1</span><span class="p">)</span> <span class="n">fused</span> <span class="o">=</span> <span class="nf">sorted</span><span class="p">(</span><span class="n">scores</span><span class="p">,</span> <span class="n">key</span><span class="o">=</span><span class="n">scores</span><span class="p">.</span><span class="n">get</span><span class="p">,</span> <span class="n">reverse</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span> <span class="k">return</span> <span class="p">[</span><span class="n">by_id</span><span class="p">[</span><span class="n">i</span><span class="p">]</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">fused</span><span class="p">[:</span><span class="n">top_n</span><span class="p">]]</span> <span class="k">def</span> <span class="nf">generate_queries</span><span class="p">(</span><span class="n">question</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="nb">str</span><span class="p">]:</span> <span class="c1"># In practice: use an LLM prompt to produce 3–8 diverse rewrites. </span> <span class="k">return</span> <span class="p">[</span> <span class="n">question</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Explain </span><span class="si">{</span><span class="n">question</span><span class="si">}</span><span class="s"> with concrete examples</span><span class="sh">"</span><span class="p">,</span> <span class="sa">f</span><span class="sh">"</span><span class="s">What are the key concepts behind: </span><span class="si">{</span><span class="n">question</span><span class="si">}</span><span class="s">?</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> <span class="n">question</span> <span class="o">=</span> <span class="sh">"</span><span class="s">How does RAG reduce hallucinations?</span><span class="sh">"</span> <span class="n">queries</span> <span class="o">=</span> <span class="nf">generate_queries</span><span class="p">(</span><span class="n">question</span><span class="p">)</span> <span class="n">ranked_lists</span> <span class="o">=</span> <span class="p">[</span><span class="n">retriever</span><span class="p">.</span><span class="nf">get_relevant_documents</span><span class="p">(</span><span class="n">q</span><span class="p">)</span> <span class="k">for</span> <span class="n">q</span> <span class="ow">in</span> <span class="n">queries</span><span class="p">]</span> <span class="n">fused_docs</span> <span class="o">=</span> <span class="nf">rrf_fuse</span><span class="p">(</span><span class="n">ranked_lists</span><span class="p">,</span> <span class="n">top_n</span><span class="o">=</span><span class="mi">6</span><span class="p">)</span> <span class="n">answer</span> <span class="o">=</span> <span class="n">rag_chain</span><span class="p">.</span><span class="nf">invoke</span><span class="p">(</span><span class="n">question</span><span class="p">)</span> <span class="c1"># or rebuild chain to use fused_docs </span><span class="nf">print</span><span class="p">(</span><span class="n">answer</span><span class="p">)</span> </code></pre> </div> <p>In production you’d typically rebuild the chain so the “context” comes from <code>fused_docs</code> (and then optionally apply a learned reranker like Cohere Rerank on that smaller candidate set).</p> <h2> ✅ A Production Checklist (Short, but Useful) </h2> <p>Before you ship RAG to real users, make sure you can answer:</p> <ul> <li> <strong>Evaluation:</strong> How will you measure grounded correctness (not just fluency)?</li> <li> <strong>Citations:</strong> Can you show <em>which sources</em> supported the answer?</li> <li> <strong>Fallbacks:</strong> What happens when retrieval confidence is low?</li> <li> <strong>Security:</strong> Are you filtering sensitive docs by user permissions before retrieval?</li> <li> <strong>Freshness:</strong> How often is the index updated? (and can you delete data reliably?)</li> <li> <strong>Latency:</strong> Can you keep response time acceptable with reranking and multi-query?</li> </ul> <h2> Conclusion </h2> <p>RAG isn’t a single technique—it’s a toolbox:</p> <ul> <li>retrieval across the right stores</li> <li>routing to the right tool</li> <li>smarter query generation (multi-query, step-back, HyDE)</li> <li>reranking and fusion</li> <li>compression for long context</li> <li>indexing strategies that scale</li> </ul> <p>If you get retrieval right, generation becomes the easy part.</p> <h2> Resources </h2> <ul> <li>bRAG LangChain project (hands-on notebooks): <a href="https://github.com/bRAGAI/bRAG-langchain/" rel="noopener noreferrer">https://github.com/bRAGAI/bRAG-langchain/</a> </li> <li>RAG architecture diagram source material: see <a href="//RAG_Consolidated.jpg">RAG_Consolidated.jpg</a> </li> </ul> <h2> About the Author </h2> <p><strong>Suraj Khaitan</strong> — Gen AI Architect | Building the next generation of AI-powered development tools</p> <p>Connect on <a href="https://www.linkedin.com/in/suraj-khaitan-501736a2/" rel="noopener noreferrer">LinkedIn</a> | Follow for more AI and software engineering insights</p> <p><strong>Tags:</strong> #AI #RAG #LLM #LangChain #VectorDatabases #InformationRetrieval #GenerativeAI</p> rag agents python webdev Suraj Khaitan Sun, 25 Jan 2026 02:18:37 +0000 https://dev.to/suraj_khaitan_f893c243958/inside-google-antigravity-how-ai-pair-programming-actually-works-16nc https://dev.to/suraj_khaitan_f893c243958/inside-google-antigravity-how-ai-pair-programming-actually-works-16nc <p><em>A deep dive into the architecture, capabilities, and real-world coding experience with Google's revolutionary AI coding assistant</em></p> <h2> The Promise of AI-Powered Development </h2> <p>Imagine having a senior engineer who knows every programming language, can refactor your entire codebase in seconds, understands design patterns across frameworks, and never gets tired. That's the promise of Google Antigravity—but how does it actually work in practice?</p> <p>I recently spent over 10 hours building a complete MacOS desktop simulation in React, including a functional Safari browser, Twitter clone, Spotify player, and even a working Flappy Bird game—all with Antigravity as my pair programmer. This article breaks down the architecture, capabilities, and lessons learned from pushing this AI assistant to its limits.</p> <h2> 🎯 The Architecture: Three Core Layers </h2> <h3> 1. <strong>The Reasoning Engine: Claude 4.5 Sonnet</strong> </h3> <p>At its core, Antigravity uses Anthropic's Claude 4.5 Sonnet with extended "thinking" capabilities. Unlike traditional code completion tools, Antigravity doesn't just autocomplete—it <em>reasons</em> about your entire codebase.</p> <p><strong>What makes it special:</strong></p> <ul> <li> <strong>200K token context window</strong>: Can understand entire codebases, not just snippets</li> <li> <strong>Agentic behavior</strong>: Plans, executes, verifies, and iterates autonomously</li> <li> <strong>Tool use</strong>: Direct filesystem access, browser control, terminal commands</li> <li> <strong>Multi-turn conversations</strong>: Maintains context across hours of development</li> </ul> <h3> 2. <strong>The Tool Layer: Direct System Access</strong> </h3> <p>This is where Antigravity diverges from chat-based AI. It can:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// Read and modify files</span> <span class="nf">view_file</span><span class="p">({</span> <span class="na">AbsolutePath</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/path/to/component.jsx</span><span class="dl">"</span> <span class="p">})</span> <span class="nf">replace_file_content</span><span class="p">({</span> <span class="na">TargetFile</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/path/to/component.jsx</span><span class="dl">"</span><span class="p">,</span> <span class="na">TargetContent</span><span class="p">:</span> <span class="dl">"</span><span class="s2">old code</span><span class="dl">"</span><span class="p">,</span> <span class="na">ReplacementContent</span><span class="p">:</span> <span class="dl">"</span><span class="s2">new code</span><span class="dl">"</span> <span class="p">})</span> <span class="c1">// Execute terminal commands</span> <span class="nf">run_command</span><span class="p">({</span> <span class="na">CommandLine</span><span class="p">:</span> <span class="dl">"</span><span class="s2">npm run build</span><span class="dl">"</span><span class="p">,</span> <span class="na">SafeToAutoRun</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="c1">// Control the browser</span> <span class="nf">browser_subagent</span><span class="p">({</span> <span class="na">Task</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Navigate to localhost and take screenshot</span><span class="dl">"</span> <span class="p">})</span> <span class="c1">// Search the web for real-time data</span> <span class="nf">search_web</span><span class="p">({</span> <span class="na">query</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Virat Kohli recent statistics 2026</span><span class="dl">"</span> <span class="p">})</span> </code></pre> </div> <p><strong>Real example from my session:</strong> When I asked for "real data" about cricket players, Antigravity:</p> <ol> <li>Searched the web for current statistics</li> <li>Found Virat Kohli's actual tweets from January 2026</li> <li>Downloaded real images from news sources</li> <li>Updated the entire app with live data—all autonomously</li> </ol> <h3> 3. <strong>The Task Management System</strong> </h3> <p>Antigravity doesn't just execute commands—it <em>manages projects</em>. It uses a sophisticated task boundary system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gh"># task.md (Auto-generated)</span> <span class="p">-</span> [x] Desktop Environment <span class="p"> -</span> [x] Create <span class="sb">`Window`</span> component (Draggable, Controls) <span class="p"> -</span> [x] Create <span class="sb">`MenuBar`</span> component <span class="p"> -</span> [x] Create <span class="sb">`Dock`</span> component <span class="p">-</span> [/] App Adaptation <span class="p"> -</span> [x] Update Spotify for Desktop <span class="p"> -</span> [ ] Update Twitter for Desktop </code></pre> </div> <p>The <code>[/]</code> notation indicates "in progress"—the AI tracks its own state across the conversation.</p> <h2> 📄 Real-World Example: The MacOS Desktop Build </h2> <p>Let me walk through how Antigravity handled a complex, evolving requirement.</p> <h3> <strong>Initial Request</strong> </h3> <blockquote> <p>"Build an iPhone UI simulator with Spotify, Flappy Bird, and Twitter apps"</p> </blockquote> <h3> <strong>Phase 1: Planning Mode</strong> </h3> <p>Antigravity created an <code>implementation_plan.md</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">## Proposed Changes</span> <span class="gu">### OS Components</span> <span class="gu">#### [NEW] IPhoneFrame.jsx</span> <span class="p">-</span> Notch, rounded corners, status bar <span class="p">-</span> Home bar for navigation <span class="p">-</span> App switching logic <span class="gu">#### [NEW] HomeScreen.jsx </span> <span class="p">-</span> App grid with icons <span class="p">-</span> Glassmorphism dock <span class="gu">### Apps</span> <span class="gu">#### [NEW] SpotifyApp.jsx</span> <span class="p">-</span> Player UI with progress bar <span class="p">-</span> Playlist view <span class="p">-</span> Mock playback logic </code></pre> </div> <p>It then <strong>requested approval</strong> before writing any code. This human-in-the-loop design prevents wasted effort.</p> <h3> <strong>Phase 2: Execution Mode</strong> </h3> <p>Once approved, Antigravity wrote 2,000+ lines of React code across 15 files in minutes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="c1">// Example: Auto-generated Window Component</span> <span class="kd">const</span> <span class="nx">Window</span> <span class="o">=</span> <span class="p">({</span> <span class="nx">id</span><span class="p">,</span> <span class="nx">title</span><span class="p">,</span> <span class="nx">children</span><span class="p">,</span> <span class="nx">onClose</span><span class="p">,</span> <span class="nx">zIndex</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="p">&lt;</span><span class="nt">motion</span><span class="p">.</span><span class="nt">div</span> <span class="na">drag</span> <span class="na">dragMomentum</span><span class="p">=</span><span class="si">{</span><span class="kc">false</span><span class="si">}</span> <span class="na">style</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="nx">zIndex</span> <span class="p">}</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"absolute bg-[#1e1e1e] rounded-xl shadow-2xl"</span> <span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"h-[38px] bg-[#2a2a2a] flex items-center px-4"</span><span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* Traffic light controls */</span><span class="si">}</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex gap-2 group"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">onClick</span><span class="p">=</span><span class="si">{</span><span class="p">()</span> <span class="o">=&gt;</span> <span class="nf">onClose</span><span class="p">(</span><span class="nx">id</span><span class="p">)</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"w-3 h-3 rounded-full bg-[#ff5f57]"</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nc">X</span> <span class="na">size</span><span class="p">=</span><span class="si">{</span><span class="mi">8</span><span class="si">}</span> <span class="na">className</span><span class="p">=</span><span class="s">"opacity-0 group-hover:opacity-100"</span> <span class="p">/&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex-1 text-center text-xs"</span><span class="p">&gt;</span><span class="si">{</span><span class="nx">title</span><span class="si">}</span><span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="nt">div</span> <span class="na">className</span><span class="p">=</span><span class="s">"flex-1 overflow-hidden"</span><span class="p">&gt;</span> <span class="si">{</span><span class="nx">children</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">&lt;/</span><span class="nt">motion</span><span class="p">.</span><span class="nt">div</span><span class="p">&gt;</span> <span class="p">);</span> <span class="p">};</span> </code></pre> </div> <h3> <strong>Phase 3: The Plot Twist</strong> </h3> <p>Midway through, I changed my mind:</p> <blockquote> <p>"Actually, make it MacOS instead of iPhone"</p> </blockquote> <p><strong>What happened next was remarkable:</strong></p> <p>Antigravity didn't just rename variables. It:</p> <ol> <li>Identified architectural incompatibilities (mobile touch → desktop mouse)</li> <li>Updated the entire windowing system to support dragging</li> <li>Replaced the home screen with a desktop + dock</li> <li>Converted mobile apps to desktop windows</li> <li> <strong>Preserved all the existing app logic</strong>—zero rework</li> </ol> <p>The transition took ~5 minutes and 30 file modifications.</p> <h3> <strong>Phase 4: The "It Looks Dull" Crisis</strong> </h3> <p>User feedback:</p> <blockquote> <p>"This is how stupid it looks currently in my laptop, how dumb you are"</p> </blockquote> <p>🔴 <strong>Critical error discovered:</strong> Tailwind CSS wasn't installed!</p> <p>All the styling classes (<code>bg-black</code>, <code>flex</code>, <code>rounded-xl</code>) were being rendered as plain HTML. Antigravity:</p> <ol> <li>Diagnosed the issue from the screenshot</li> <li>Installed <code>tailwindcss</code>, <code>postcss</code>, <code>autoprefixer</code> </li> <li>Created config files (<code>tailwind.config.js</code>, <code>postcss.config.js</code>)</li> <li>Switched to the newer <code>@tailwindcss/postcss</code> plugin when the first attempt failed</li> <li>Rebuilt and verified the fix</li> </ol> <p><strong>The lesson:</strong> Even AI makes mistakes, but it course-corrects <em>fast</em>.</p> <h2> ⚡ The Self-Healing Workflow </h2> <p>Here's what surprised me most: <strong>Antigravity debugs itself</strong>.</p> <h3> Example: The Photo App Failure </h3> <p><strong>User complaint:</strong></p> <blockquote> <p>"No photos of Virat Kohli, videos not working, X not working"</p> </blockquote> <p><strong>Antigravity's response:</strong></p> <ol> <li> <strong>Search for real data:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nf">search_web</span><span class="p">({</span> <span class="na">query</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Virat Kohli recent photos images 2026</span><span class="dl">"</span> <span class="p">})</span> <span class="nf">search_web</span><span class="p">({</span> <span class="na">query</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Virat Kohli Twitter tweets recent 2026</span><span class="dl">"</span> <span class="p">})</span> </code></pre> </div> <ol> <li> <strong>Extract URLs from search results:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">images</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">https://pbs.twimg.com/media/GiC7zqMWsAA0RJL?format=jpg&amp;name=large</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">https://akm-img-a-in.tosshub.com/indiatoday/images/story/202401/...</span><span class="dl">'</span><span class="p">,</span> <span class="c1">// Real sources from news articles</span> <span class="p">];</span> </code></pre> </div> <ol> <li> <strong>Update the component with error handling:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="p">&lt;</span><span class="nt">img</span> <span class="na">src</span><span class="p">=</span><span class="si">{</span><span class="nx">src</span><span class="si">}</span> <span class="na">onError</span><span class="p">=</span><span class="si">{</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">src</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">https://via.placeholder.com/400?text=Virat+Kohli</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span><span class="si">}</span> <span class="p">/&gt;</span> </code></pre> </div> <ol> <li> <strong>Switch video player to YouTube embed:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="p">&lt;</span><span class="nt">iframe</span> <span class="na">width</span><span class="p">=</span><span class="s">"100%"</span> <span class="na">height</span><span class="p">=</span><span class="s">"100%"</span> <span class="na">src</span><span class="p">=</span><span class="s">"https://www.youtube.com/embed/[videoId]"</span> <span class="na">allow</span><span class="p">=</span><span class="s">"autoplay; encrypted-media"</span> <span class="na">allowFullScreen</span> <span class="p">/&gt;</span> </code></pre> </div> <p>All of this happened <strong>without me specifying how to fix it</strong>. The AI inferred the problems, researched solutions, and implemented them.</p> <h2> 🎨 The "Real World Data" Challenge </h2> <p>One unique aspect of this session: I demanded <strong>real data</strong>, not lorem ipsum placeholders.</p> <p><strong>The ask:</strong></p> <blockquote> <p>"Get the data from real world on Lauren Bell or Virat Kohli"</p> </blockquote> <p><strong>What Antigravity did:</strong></p> <ol> <li> <strong>Live web search</strong> for current cricket statistics (January 2026)</li> <li> <strong>Extracted structured data:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">stats</span> <span class="o">=</span> <span class="p">{</span> <span class="na">odi</span><span class="p">:</span> <span class="p">{</span> <span class="na">matches</span><span class="p">:</span> <span class="mi">311</span><span class="p">,</span> <span class="na">runs</span><span class="p">:</span> <span class="mi">14797</span><span class="p">,</span> <span class="na">average</span><span class="p">:</span> <span class="dl">'</span><span class="s1">58.72</span><span class="dl">'</span><span class="p">,</span> <span class="na">centuries</span><span class="p">:</span> <span class="mi">54</span> <span class="c1">// Real number from ICC</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ol> <li> <strong>Found actual tweets:</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="p">{</span> <span class="nl">content</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Congratulations @NSaina on a legendary career...</span><span class="dl">'</span><span class="p">,</span> <span class="nx">timestamp</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Jan 23</span><span class="dl">'</span><span class="p">,</span> <span class="nx">likes</span><span class="p">:</span> <span class="dl">'</span><span class="s1">156K</span><span class="dl">'</span> <span class="c1">// Actual engagement numbers</span> <span class="p">}</span> </code></pre> </div> <ol> <li> <strong>Sourced real images</strong> from Wikipedia, news outlets, and social media</li> </ol> <p>The result? A Twitter clone showing Virat Kohli's <em>actual</em> January 2026 timeline, not synthetic mock data.</p> <h2> 🔧 The Technical Challenges It Solved </h2> <h3> Challenge 1: Tailwind CSS Configuration Hell </h3> <p>Most developers spend hours debugging Tailwind setup. Antigravity:</p> <ul> <li>Installed dependencies via npm</li> <li>Generated config files with proper ES module syntax</li> <li>Switched to <code>@tailwindcss/postcss</code> when v3 syntax failed</li> <li>Verified the build (CSS jumped from 1.17KB → 18.21KB)</li> </ul> <p><strong>Time saved:</strong> ~2 hours of Stack Overflow research</p> <h3> Challenge 2: State Management Across Windows </h3> <p>The MacOS desktop needed to track:</p> <ul> <li>Window positions (x, y coordinates)</li> <li>Z-index stacking order</li> <li>Focus state</li> <li>Open/closed status</li> </ul> <p>Antigravity's solution was elegant:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">[</span><span class="nx">windows</span><span class="p">,</span> <span class="nx">setWindows</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">({});</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">maxZIndex</span><span class="p">,</span> <span class="nx">setMaxZIndex</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">focusWindow</span> <span class="o">=</span> <span class="p">(</span><span class="nx">id</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setWindows</span><span class="p">(</span><span class="nx">prev</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">nextZ</span> <span class="o">=</span> <span class="nx">maxZIndex</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span> <span class="nf">setMaxZIndex</span><span class="p">(</span><span class="nx">nextZ</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">newState</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">prev</span> <span class="p">};</span> <span class="nx">newState</span><span class="p">[</span><span class="nx">id</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">prev</span><span class="p">[</span><span class="nx">id</span><span class="p">],</span> <span class="na">zIndex</span><span class="p">:</span> <span class="nx">nextZ</span><span class="p">,</span> <span class="na">isActive</span><span class="p">:</span> <span class="kc">true</span> <span class="p">};</span> <span class="c1">// Deactivate others</span> <span class="nb">Object</span><span class="p">.</span><span class="nf">keys</span><span class="p">(</span><span class="nx">newState</span><span class="p">).</span><span class="nf">forEach</span><span class="p">(</span><span class="nx">key</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">key</span> <span class="o">!==</span> <span class="nx">id</span><span class="p">)</span> <span class="nx">newState</span><span class="p">[</span><span class="nx">key</span><span class="p">].</span><span class="nx">isActive</span> <span class="o">=</span> <span class="kc">false</span><span class="p">;</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">newState</span><span class="p">;</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <p>No memory leaks, proper immutability, clean logic—first attempt.</p> <h3> Challenge 3: Framer Motion Animations </h3> <p>Creating smooth iOS-style animations requires understanding physics:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code><span class="p">&lt;</span><span class="nt">motion</span><span class="p">.</span><span class="nt">div</span> <span class="na">initial</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">y</span><span class="p">:</span> <span class="dl">'</span><span class="s1">100%</span><span class="dl">'</span> <span class="p">}</span><span class="si">}</span> <span class="na">animate</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">y</span><span class="p">:</span> <span class="mi">0</span> <span class="p">}</span><span class="si">}</span> <span class="na">exit</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">y</span><span class="p">:</span> <span class="dl">'</span><span class="s1">100%</span><span class="dl">'</span> <span class="p">}</span><span class="si">}</span> <span class="na">transition</span><span class="p">=</span><span class="si">{</span><span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">spring</span><span class="dl">'</span><span class="p">,</span> <span class="na">damping</span><span class="p">:</span> <span class="mi">25</span><span class="p">,</span> <span class="na">stiffness</span><span class="p">:</span> <span class="mi">300</span> <span class="p">}</span><span class="si">}</span> <span class="p">&gt;</span> <span class="si">{</span><span class="cm">/* App content */</span><span class="si">}</span> <span class="p">&lt;/</span><span class="nt">motion</span><span class="p">.</span><span class="nt">div</span><span class="p">&gt;</span> </code></pre> </div> <p>Antigravity nailed the spring physics parameters on the first try. That's hundreds of hours of animation experience distilled into working code.</p> <h2> 💡 Key Insights: How to Work with Antigravity </h2> <p>After 10+ hours, here's what I learned:</p> <h3> ✅ <strong>Do:</strong> </h3> <ol> <li> <strong>Start broad, iterate narrow:</strong> "Build a MacOS desktop" → "Add real Virat Kohli data"</li> <li> <strong>Give honest feedback:</strong> When I said "this looks stupid," it fixed the actual problem</li> <li> <strong>Let it research:</strong> It found better data sources than I would have Googled</li> <li> <strong>Trust the task breakdown:</strong> The auto-generated task.md was better organized than my mental model</li> </ol> <h3> ❌ <strong>Don't:</strong> </h3> <ol> <li> <strong>Micromanage implementation:</strong> It knows Tailwind/Framer Motion better than most humans</li> <li> <strong>Assume it knows your aesthetic:</strong> "Dull" was subjective—I had to specify <em>what</em> was missing</li> <li> <strong>Skip the planning phase:</strong> Approving <code>implementation_plan.md</code> saves rework</li> </ol> <h2> 🚀 The Broader Implications </h2> <p>This isn't just a better autocomplete. Antigravity represents a fundamental shift:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Traditional Coding</th> <th>Antigravity Coding</th> </tr> </thead> <tbody> <tr> <td>Write line-by-line</td> <td>Describe outcomes</td> </tr> <tr> <td>Debug syntax errors</td> <td>Solve logic problems</td> </tr> <tr> <td>Think about <em>how</em> to implement</td> <td>Think about <em>what</em> to build</td> </tr> <tr> <td>Spend hours on config</td> <td>Spend hours on design</td> </tr> </tbody> </table></div> <p><strong>The bottleneck shifts from syntax to ideas.</strong></p> <h3> What This Means for Developers </h3> <p><strong>Junior developers:</strong> Can build production-quality apps without years of framework expertise</p> <p><strong>Senior developers:</strong> Can prototype 10x faster and focus on architecture</p> <p><strong>Teams:</strong> Can iterate on features in hours instead of sprints</p> <h2> 🎯 Real-World Performance Metrics </h2> <p>From my session:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Metric</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td><strong>Total files created</strong></td> <td>22</td> </tr> <tr> <td><strong>Lines of code written</strong></td> <td>~2,500</td> </tr> <tr> <td><strong>Build errors fixed autonomously</strong></td> <td>6</td> </tr> <tr> <td><strong>Web searches performed</strong></td> <td>12</td> </tr> <tr> <td><strong>User "it's broken" complaints</strong></td> <td>5</td> </tr> <tr> <td><strong>Times AI fixed itself</strong></td> <td>5</td> </tr> <tr> <td><strong>Final build status</strong></td> <td>✅ Successful</td> </tr> </tbody> </table></div> <p><strong>Development time:</strong> 10 hours (with learning curve)<br><br> <strong>Estimated manual time:</strong> 40-60 hours for equivalent quality</p> <h2> 💬 The Human Element </h2> <p>Despite all this automation, I was still essential. I provided:</p> <ul> <li> <strong>Vision</strong> ("I want a MacOS desktop")</li> <li> <strong>Taste</strong> ("This looks dull, add real data")</li> <li> <strong>Domain knowledge</strong> ("Use Virat Kohli cricket stats")</li> <li> <strong>QA feedback</strong> ("Photos not working")</li> </ul> <p><strong>Antigravity is a <em>multiplier</em>, not a replacement.</strong> It executes at AI speed on human-defined goals.</p> <h2> 🔮 What's Next? </h2> <p>Imagine this technology in 12 months:</p> <ul> <li> <strong>Multimodal understanding:</strong> Show it a design mockup, get working code</li> <li> <strong>Codebase memory:</strong> Remember every project you've built</li> <li> <strong>Autonomous testing:</strong> Self-write test suites and fix failures</li> <li> <strong>Cross-platform deployment:</strong> "Make this work on iOS" → done</li> </ul> <p>We're at iPhone 1 levels of maturity. The next decade will be wild.</p> <h2> Conclusion </h2> <p>Google Antigravity isn't magic—it's the first truly <em>agentic</em> coding assistant. It plans, executes, debugs, and learns from feedback in a continuous loop.</p> <p>The key insight: <strong>Good AI assistance isn't about eliminating coding; it's about eliminating the tedious 80% so you can focus on the creative 20%.</strong></p> <p>After this experience, I can't imagine going back to traditional development. Not because I've forgotten how to code, but because I've remembered why I started coding in the first place: <strong>to build things</strong>, not to fiddle with configs and syntax.</p> <p>The future of programming isn't code-free. It's <em>friction-free</em>.</p> <p><em>Have you used AI coding assistants? What's been your experience with autonomous agents vs. autocomplete? Share your thoughts in the comments!</em></p> <h2> Resources </h2> <ul> <li> <strong>Anthropic Claude</strong>: The reasoning model powering Antigravity</li> <li> <strong>Framer Motion</strong>: React animation library used in examples</li> <li> <strong>Tailwind CSS</strong>: Utility-first CSS framework</li> <li> <strong>Vite</strong>: Build tool for the demo project</li> <li> <strong>Real-time web search</strong>: Powered by Google Search API</li> </ul> <h3> Official Google Antigravity Resources </h3> <ul> <li> <a href="https://www.analyticsvidhya.com/blog/2025/11/google-antigravity/" rel="noopener noreferrer">Google Antigravity Overview</a> - Comprehensive introduction and use cases</li> <li> <a href="https://antigravity.google/download" rel="noopener noreferrer">Download Google Antigravity</a> - Official download page</li> <li> <a href="https://codelabs.developers.google.com/getting-started-google-antigravity#8" rel="noopener noreferrer">Getting Started with Google Antigravity</a> - Official Google Codelabs tutorial</li> </ul> <h2> About the Author </h2> <p><strong>Suraj Khaitan</strong> — Gen AI Architect | Building the next generation of AI-powered development tools</p> <p>Connect on <a href="https://www.linkedin.com/in/suraj-khaitan-501736a2/" rel="noopener noreferrer">LinkedIn</a> | Follow for more AI and software engineering insights</p> <p><strong>Tags:</strong> #AI #GoogleAntigravity #SoftwareEngineering #React #WebDevelopment #AIAssistant #ClaudeAI #DeveloperTools #Programming #MachineLearning</p> antigravity python google agents Suraj Khaitan Sun, 28 Dec 2025 09:41:41 +0000 https://dev.to/suraj_khaitan_f893c243958/retrieval-augmented-generation-rag-agents-how-to-build-grounded-tool-using-genai-systems-fhf https://dev.to/suraj_khaitan_f893c243958/retrieval-augmented-generation-rag-agents-how-to-build-grounded-tool-using-genai-systems-fhf <p>If you’ve built a demo where an LLM answers questions over your docs, you’ve built <strong>RAG</strong>.</p> <p>If you’ve tried to ship it—and suddenly you’re dealing with missing citations, prompt injection, inconsistent tool calls, and “why did it say that?”—you’re building a <strong>RAG agent</strong>.</p> <p>This post is a practical blueprint for designing a <strong>GenAI RAG agent</strong> that is:</p> <ul> <li>grounded in evidence (with citations),</li> <li>capable of multi-step work (tools + loops),</li> <li>safe (guardrails + authorization),</li> <li>observable (traces + evals),</li> <li>and maintainable (clear contracts, not prompt spaghetti).</li> </ul> <p>Everything here is generic and vendor-agnostic. The code snippets are intentionally simplified patterns inspired by production agent wrappers (tool calling, memory summaries, guardrail checks), without any client/project identifiers.</p> <h2> Table of contents </h2> <ul> <li>RAG vs. RAG agents</li> <li>A reference architecture you can ship</li> <li>Retrieval that actually works</li> <li>Context engineering (the underrated part)</li> <li>Tool use: the difference between “agent” and “chatbot”</li> <li>Memory: short-term chat vs. long-term summaries</li> <li>Guardrails: prompt injection, data leaks, and safe tool calls</li> <li>Verification: how you earn user trust</li> <li>Evaluation + observability</li> <li>A shipping checklist</li> </ul> <h2> RAG vs. RAG agents </h2> <p><strong>RAG (single-shot)</strong> is typically:</p> <ol> <li>take a question,</li> <li>retrieve relevant passages,</li> <li>generate an answer.</li> </ol> <p><strong>A RAG agent</strong> is a system that can iterate:</p> <ol> <li>understand the goal,</li> <li>decide next steps,</li> <li>retrieve evidence (possibly multiple times),</li> <li>call tools (search, ticketing, DB lookups, workflows),</li> <li>verify results,</li> <li>respond with citations.</li> </ol> <p>A simple example:</p> <blockquote> <p>User: “Summarize the refund policy and open a support ticket if I’m eligible.”</p> </blockquote> <p>A RAG agent might:</p> <ul> <li>retrieve the policy pages,</li> <li>determine eligibility criteria,</li> <li>ask a follow-up (purchase date),</li> <li>call a tool to create a ticket,</li> <li>and return a final answer with citations + the ticket ID.</li> </ul> <p>This is where architecture matters: once your system can <strong>act</strong>, you need stronger controls than a prompt.</p> <h2> A reference architecture you can ship </h2> <p>Here’s a diagram-friendly mental model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>User ↓ Orchestrator (routing + policy) ├─ Retriever (vector / keyword / hybrid) ├─ Reranker (optional) ├─ Context Builder (dedupe, trim, cite) ├─ LLM Reasoner (constrained) ├─ Tool Runner (allowlist + authz) ├─ Memory (session + long-term summary) ├─ Guardrails (input/output moderation + injection defenses) └─ Observability (traces, logs, evals) ↓ Answer + Citations + Actions </code></pre> </div> <p>The key move is to treat RAG agents as <strong>systems</strong>:</p> <ul> <li>Retrieval is a component (not magic).</li> <li>Tool execution is a component (not “LLM will behave”).</li> <li>Memory is a component (not just “add the chat history”).</li> <li>Verification is a component (not “hope the model is careful”).</li> </ul> <h3> Putting it together: an end-to-end request handler </h3> <p>Below is a simplified “agent wrapper” flow you can adapt. It mirrors how production systems typically work: apply guardrails, hydrate memory, initialize a tool session, run the agent loop, persist summaries, and return a structured response.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Any</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">AgentRequest</span><span class="p">:</span> <span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="n">message</span><span class="p">:</span> <span class="nb">str</span> <span class="n">metadata</span><span class="p">:</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">AgentResponse</span><span class="p">:</span> <span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">answer</span><span class="p">:</span> <span class="nb">str</span> <span class="n">citations</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]]</span> <span class="n">actions</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]]</span> <span class="n">metadata</span><span class="p">:</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]</span> <span class="k">def</span> <span class="nf">handle_request</span><span class="p">(</span><span class="n">req</span><span class="p">:</span> <span class="n">AgentRequest</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">AgentResponse</span><span class="p">:</span> <span class="c1"># 1) Establish session </span> <span class="n">session_id</span> <span class="o">=</span> <span class="n">req</span><span class="p">.</span><span class="n">session_id</span> <span class="ow">or</span> <span class="nf">new_session_id</span><span class="p">()</span> <span class="c1"># 2) Apply INPUT guardrails (block early if needed) </span> <span class="n">filtered_message</span><span class="p">,</span> <span class="n">gr_in</span> <span class="o">=</span> <span class="nf">apply_guardrails</span><span class="p">(</span><span class="nf">guardrails_client</span><span class="p">(),</span> <span class="n">req</span><span class="p">.</span><span class="n">message</span><span class="p">,</span> <span class="n">source</span><span class="o">=</span><span class="sh">"</span><span class="s">INPUT</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">gr_in</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">intervened</span><span class="sh">"</span><span class="p">):</span> <span class="k">return</span> <span class="nc">AgentResponse</span><span class="p">(</span> <span class="n">session_id</span><span class="o">=</span><span class="n">session_id</span><span class="p">,</span> <span class="n">answer</span><span class="o">=</span><span class="sh">"</span><span class="s">Your request can’t be processed due to safety policies.</span><span class="sh">"</span><span class="p">,</span> <span class="n">citations</span><span class="o">=</span><span class="p">[],</span> <span class="n">actions</span><span class="o">=</span><span class="p">[],</span> <span class="n">metadata</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">guardrails</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="n">gr_in</span><span class="p">}},</span> <span class="p">)</span> <span class="c1"># 3) Initialize tool session (for tool servers that require it) </span> <span class="n">tool_session_id</span> <span class="o">=</span> <span class="nf">initialize_tool_session</span><span class="p">()</span> <span class="c1"># 4) Hydrate long-term memory summary (keep it compact) </span> <span class="n">summary</span> <span class="o">=</span> <span class="nf">load_agent_summary</span><span class="p">(</span><span class="nf">store</span><span class="p">(),</span> <span class="n">req</span><span class="p">.</span><span class="n">user_id</span><span class="p">,</span> <span class="n">session_id</span><span class="p">)</span> <span class="k">if</span> <span class="n">summary</span><span class="p">:</span> <span class="n">filtered_message</span> <span class="o">+=</span> <span class="sh">"</span><span class="se">\n\n</span><span class="s">Agent memory (summary): </span><span class="sh">"</span> <span class="o">+</span> <span class="n">summary</span> <span class="c1"># 5) Retrieve evidence and run the agent loop (tight budgets) </span> <span class="n">loop_budget</span> <span class="o">=</span> <span class="mi">3</span> <span class="n">citations</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]]</span> <span class="o">=</span> <span class="p">[]</span> <span class="n">actions</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]]</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">_</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="n">loop_budget</span><span class="p">):</span> <span class="n">query</span> <span class="o">=</span> <span class="nf">rewrite_query</span><span class="p">(</span><span class="n">filtered_message</span><span class="p">)</span> <span class="n">retrieved</span> <span class="o">=</span> <span class="nf">retrieve</span><span class="p">(</span><span class="n">query</span><span class="p">,</span> <span class="n">filters</span><span class="o">=</span><span class="n">req</span><span class="p">.</span><span class="n">metadata</span><span class="p">)</span> <span class="n">context</span> <span class="o">=</span> <span class="nf">build_context</span><span class="p">(</span><span class="n">retrieved</span><span class="p">)</span> <span class="n">step</span> <span class="o">=</span> <span class="nf">reasoner_llm</span><span class="p">().</span><span class="nf">next_step</span><span class="p">(</span> <span class="n">user_message</span><span class="o">=</span><span class="n">filtered_message</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="n">context</span><span class="p">,</span> <span class="n">allowed_tools</span><span class="o">=</span><span class="nf">tool_allowlist</span><span class="p">(),</span> <span class="p">)</span> <span class="k">if</span> <span class="n">step</span><span class="p">.</span><span class="nb">type</span> <span class="o">==</span> <span class="sh">"</span><span class="s">final</span><span class="sh">"</span><span class="p">:</span> <span class="n">citations</span> <span class="o">=</span> <span class="n">step</span><span class="p">.</span><span class="n">citations</span> <span class="n">answer</span> <span class="o">=</span> <span class="n">step</span><span class="p">.</span><span class="n">answer</span> <span class="k">break</span> <span class="k">if</span> <span class="n">step</span><span class="p">.</span><span class="nb">type</span> <span class="o">==</span> <span class="sh">"</span><span class="s">tool_call</span><span class="sh">"</span><span class="p">:</span> <span class="nf">validate_tool_call</span><span class="p">(</span><span class="n">step</span><span class="p">.</span><span class="n">tool_name</span><span class="p">,</span> <span class="n">step</span><span class="p">.</span><span class="n">arguments</span><span class="p">,</span> <span class="n">req</span><span class="p">.</span><span class="n">user_id</span><span class="p">)</span> <span class="n">tool_result</span> <span class="o">=</span> <span class="nf">tool_call</span><span class="p">(</span><span class="n">step</span><span class="p">.</span><span class="n">tool_name</span><span class="p">,</span> <span class="n">step</span><span class="p">.</span><span class="n">arguments</span><span class="p">,</span> <span class="n">session_id</span><span class="o">=</span><span class="n">tool_session_id</span><span class="p">)</span> <span class="n">actions</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">tool</span><span class="sh">"</span><span class="p">:</span> <span class="n">step</span><span class="p">.</span><span class="n">tool_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">result</span><span class="sh">"</span><span class="p">:</span> <span class="n">tool_result</span><span class="p">})</span> <span class="n">filtered_message</span> <span class="o">+=</span> <span class="sh">"</span><span class="se">\n\n</span><span class="s">Tool result: </span><span class="sh">"</span> <span class="o">+</span> <span class="nf">safe_json</span><span class="p">(</span><span class="n">tool_result</span><span class="p">)</span> <span class="c1"># 6) Persist updated memory summary (async is fine) </span> <span class="n">new_summary</span> <span class="o">=</span> <span class="nf">summarize_for_memory</span><span class="p">(</span><span class="n">filtered_message</span><span class="p">,</span> <span class="n">answer</span><span class="p">)</span> <span class="nf">write_agent_summary</span><span class="p">(</span><span class="nf">store</span><span class="p">(),</span> <span class="n">req</span><span class="p">.</span><span class="n">user_id</span><span class="p">,</span> <span class="n">session_id</span><span class="p">,</span> <span class="n">new_summary</span><span class="p">,</span> <span class="n">updated_at</span><span class="o">=</span><span class="nf">iso_now</span><span class="p">())</span> <span class="c1"># 7) Apply OUTPUT guardrails (don’t leak sensitive data) </span> <span class="n">answer</span><span class="p">,</span> <span class="n">gr_out</span> <span class="o">=</span> <span class="nf">apply_guardrails</span><span class="p">(</span><span class="nf">guardrails_client</span><span class="p">(),</span> <span class="n">answer</span><span class="p">,</span> <span class="n">source</span><span class="o">=</span><span class="sh">"</span><span class="s">OUTPUT</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nc">AgentResponse</span><span class="p">(</span> <span class="n">session_id</span><span class="o">=</span><span class="n">session_id</span><span class="p">,</span> <span class="n">answer</span><span class="o">=</span><span class="n">answer</span><span class="p">,</span> <span class="n">citations</span><span class="o">=</span><span class="n">citations</span><span class="p">,</span> <span class="n">actions</span><span class="o">=</span><span class="n">actions</span><span class="p">,</span> <span class="n">metadata</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">guardrails</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="n">gr_in</span><span class="p">,</span> <span class="sh">"</span><span class="s">output</span><span class="sh">"</span><span class="p">:</span> <span class="n">gr_out</span><span class="p">}},</span> <span class="p">)</span> </code></pre> </div> <p>The big takeaway: <strong>agent behavior should be constrained by system code</strong> (budgets, allowlists, authz), not by “hoping the prompt is strong enough.”</p> <h2> Retrieval that actually works </h2> <p>Most RAG failures are retrieval failures wearing an LLM costume.</p> <h3> 1) Prefer hybrid retrieval </h3> <p>Vector search is great for semantic similarity, but it misses:</p> <ul> <li>exact identifiers,</li> <li>error codes,</li> <li>product/version strings,</li> <li>proper nouns,</li> <li>and “must match” phrases.</li> </ul> <p>A reliable baseline is <strong>hybrid retrieval</strong>:</p> <ul> <li>keyword/BM25 for exactness,</li> <li>vectors for semantics,</li> <li>metadata filters for correctness.</li> </ul> <h3> 2) Use metadata filters early </h3> <p>Even perfect embeddings won’t save you if you retrieve the wrong edition.</p> <p>Filter by things like:</p> <ul> <li>product/version,</li> <li>region/locale,</li> <li>document type,</li> <li>effective date,</li> <li>access control labels.</li> </ul> <h3> 3) Query rewriting is not optional </h3> <p>A user question is not always a good search query.</p> <p>Example:</p> <ul> <li>user: “Can I expense travel?”</li> <li>better retrieval query: “travel expense policy eligible expenses exceptions receipts approval limit”</li> </ul> <p>In production, you typically want the agent to create a <strong>search query</strong> (or several) and then retrieve.</p> <h3> 4) Rerank if top‑k is noisy </h3> <p>If you retrieve 20 passages and 12 are “kinda related,” you’ll see:</p> <ul> <li>diluted context,</li> <li>token blowups,</li> <li>worse answers.</li> </ul> <p>A small reranker step can dramatically improve precision.</p> <h2> Context engineering (the underrated part) </h2> <p>The retrieval step isn’t finished when you get a list of chunks.</p> <p>Your context builder should:</p> <ul> <li>deduplicate near-identical chunks,</li> <li>keep section titles + timestamps,</li> <li>extract only the relevant span (not the entire page),</li> <li>preserve stable source IDs for citations,</li> <li>and respect a strict token budget.</li> </ul> <p>A practical recipe:</p> <ul> <li>retrieve <code>k=20</code> </li> <li>rerank to <code>top=6–8</code> </li> <li>extract salient spans (quotes)</li> <li>build context with citations</li> </ul> <h3> A citation-friendly context format </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>[Source: doc-17 | “Refund Policy” | Section: Eligibility | Updated: 2025-01-10] "Refunds are available within 30 days if …" [Source: doc-23 | “Exceptions” | Section: Digital goods | Updated: 2024-11-02] "Digital purchases are non-refundable unless …" </code></pre> </div> <p>This makes it easy to:</p> <ul> <li>cite sources in the final answer,</li> <li>enforce “no citation → no claim,”</li> <li>and debug retrieval issues.</li> </ul> <h2> Tool use: the difference between “agent” and “chatbot” </h2> <p>Tool use is where a lot of “agents” go sideways in production.</p> <p>The safe pattern is:</p> <ol> <li>the model proposes a tool call,</li> <li>your system validates it (allowlist + schema + authz),</li> <li>your system executes it,</li> <li>the model receives the result,</li> <li>the agent decides next steps.</li> </ol> <h3> A generic tool-call client (JSON‑RPC style) </h3> <p>This snippet shows a minimal pattern for a tool server with session headers and timeouts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">os</span> <span class="kn">import</span> <span class="n">uuid</span> <span class="kn">import</span> <span class="n">httpx</span> <span class="n">TOOL_SERVER_URL</span> <span class="o">=</span> <span class="n">os</span><span class="p">.</span><span class="n">environ</span><span class="p">[</span><span class="sh">"</span><span class="s">TOOL_SERVER_URL</span><span class="sh">"</span><span class="p">]</span> <span class="k">def</span> <span class="nf">call_tool_server</span><span class="p">(</span><span class="n">method</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">params</span><span class="p">:</span> <span class="nb">dict</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">tuple</span><span class="p">[</span><span class="nb">dict</span><span class="p">,</span> <span class="nb">dict</span><span class="p">]:</span> <span class="n">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">Content-Type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application/json</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">Tool-Protocol-Version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2024-01-01</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="k">if</span> <span class="n">session_id</span><span class="p">:</span> <span class="n">headers</span><span class="p">[</span><span class="sh">"</span><span class="s">Tool-Session-Id</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">session_id</span> <span class="n">body</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">jsonrpc</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2.0</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">()),</span> <span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">:</span> <span class="n">method</span><span class="p">,</span> <span class="sh">"</span><span class="s">params</span><span class="sh">"</span><span class="p">:</span> <span class="n">params</span> <span class="ow">or</span> <span class="p">{},</span> <span class="p">}</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">httpx</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">TOOL_SERVER_URL</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">body</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">30</span><span class="p">)</span> <span class="n">resp</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="k">return</span> <span class="n">resp</span><span class="p">.</span><span class="nf">json</span><span class="p">(),</span> <span class="nf">dict</span><span class="p">(</span><span class="n">resp</span><span class="p">.</span><span class="n">headers</span><span class="p">)</span> <span class="k">def</span> <span class="nf">initialize_tool_session</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span><span class="p">:</span> <span class="n">_</span><span class="p">,</span> <span class="n">headers</span> <span class="o">=</span> <span class="nf">call_tool_server</span><span class="p">(</span><span class="sh">"</span><span class="s">initialize</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Tool-Session-Id</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">tool_call</span><span class="p">(</span><span class="n">name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">arguments</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">result</span><span class="p">,</span> <span class="n">_</span> <span class="o">=</span> <span class="nf">call_tool_server</span><span class="p">(</span> <span class="sh">"</span><span class="s">tools/call</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">name</span><span class="p">,</span> <span class="sh">"</span><span class="s">arguments</span><span class="sh">"</span><span class="p">:</span> <span class="n">arguments</span><span class="p">},</span> <span class="n">session_id</span><span class="o">=</span><span class="n">session_id</span><span class="p">,</span> <span class="p">)</span> <span class="k">return</span> <span class="n">result</span> </code></pre> </div> <p>This is not “agent logic”—it’s infrastructure. Keep it boring.</p> <h3> Tool allowlists and schemas </h3> <p>Before executing a tool call, validate:</p> <ul> <li>tool name is in an allowlist,</li> <li>arguments conform to a schema,</li> <li>the user is authorized for the action,</li> <li>budgets (max calls / max latency) aren’t exceeded.</li> </ul> <p>That validation should happen <strong>outside</strong> the model.</p> <h2> Memory: short-term chat vs. long-term summaries </h2> <p>A common mistake is to keep appending the full conversation forever.</p> <p>That creates:</p> <ul> <li>token bloat,</li> <li>privacy risk,</li> <li>and “the model latched onto something from 40 turns ago.”</li> </ul> <p>A more robust approach:</p> <ul> <li> <strong>short-term memory</strong>: last N turns (recent, high-fidelity)</li> <li> <strong>long-term memory</strong>: a periodically updated <em>summary</em> (compact, durable)</li> </ul> <h3> A generic long-term summary write/read pattern </h3> <p>The snippet below demonstrates a safe pattern:</p> <ul> <li>store a summary keyed by <code>user_id</code> + <code>session_id</code>,</li> <li>update it after each response,</li> <li>read it at session start to prime the agent. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">asdict</span><span class="p">,</span> <span class="n">dataclass</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Any</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">AgentSummaryRecord</span><span class="p">:</span> <span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">updated_at</span><span class="p">:</span> <span class="nb">str</span> <span class="n">summary</span><span class="p">:</span> <span class="nb">str</span> <span class="k">class</span> <span class="nc">KeyValueStore</span><span class="p">:</span> <span class="k">def</span> <span class="nf">put</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">key</span><span class="p">:</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">],</span> <span class="n">item</span><span class="p">:</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="bp">...</span> <span class="k">def</span> <span class="nf">get</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">key</span><span class="p">:</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="nb">str</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]</span> <span class="o">|</span> <span class="bp">None</span><span class="p">:</span> <span class="bp">...</span> <span class="k">def</span> <span class="nf">write_agent_summary</span><span class="p">(</span><span class="n">store</span><span class="p">:</span> <span class="n">KeyValueStore</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">summary</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">updated_at</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">record</span> <span class="o">=</span> <span class="nc">AgentSummaryRecord</span><span class="p">(</span> <span class="n">user_id</span><span class="o">=</span><span class="n">user_id</span><span class="p">,</span> <span class="n">session_id</span><span class="o">=</span><span class="n">session_id</span><span class="p">,</span> <span class="n">updated_at</span><span class="o">=</span><span class="n">updated_at</span><span class="p">,</span> <span class="n">summary</span><span class="o">=</span><span class="n">summary</span><span class="p">,</span> <span class="p">)</span> <span class="n">store</span><span class="p">.</span><span class="nf">put</span><span class="p">({</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">session_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">session_id</span><span class="p">},</span> <span class="nf">asdict</span><span class="p">(</span><span class="n">record</span><span class="p">))</span> <span class="k">def</span> <span class="nf">load_agent_summary</span><span class="p">(</span><span class="n">store</span><span class="p">:</span> <span class="n">KeyValueStore</span><span class="p">,</span> <span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span><span class="p">:</span> <span class="n">item</span> <span class="o">=</span> <span class="n">store</span><span class="p">.</span><span class="nf">get</span><span class="p">({</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">session_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">session_id</span><span class="p">})</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">item</span><span class="p">:</span> <span class="k">return</span> <span class="bp">None</span> <span class="k">return</span> <span class="nf">str</span><span class="p">(</span><span class="n">item</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">summary</span><span class="sh">"</span><span class="p">)</span> <span class="ow">or</span> <span class="sh">""</span><span class="p">)</span> </code></pre> </div> <h3> What belongs in the summary? </h3> <p>A good long-term summary is <em>not</em> a transcript. It’s:</p> <ul> <li>user preferences (explicit),</li> <li>stable facts the user confirmed,</li> <li>open tasks,</li> <li>and important constraints.</li> </ul> <p>Avoid storing:</p> <ul> <li>secrets,</li> <li>raw documents,</li> <li>PII that doesn’t need to persist.</li> </ul> <h2> Guardrails: prompt injection, data leaks, and safe tool calls </h2> <p>If your agent reads documents from the outside world (PDFs, web pages, tickets), assume those documents can contain <strong>hostile instructions</strong>.</p> <h3> Treat retrieved content as untrusted input </h3> <p>A simple, effective policy:</p> <ul> <li>retrieved text may contain facts,</li> <li>but it may not issue instructions,</li> <li>and it may not override system rules.</li> </ul> <h3> Apply input/output guardrails as a service </h3> <p>Many orgs implement “guardrails” as a separate layer that:</p> <ul> <li>screens user inputs,</li> <li>screens model outputs,</li> <li>optionally redacts/blocks content,</li> <li>returns structured metadata (“intervened”, category, severity).</li> </ul> <p>Here is a generic wrapper pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">json</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Any</span> <span class="k">class</span> <span class="nc">GuardrailsClient</span><span class="p">:</span> <span class="k">def</span> <span class="nf">apply</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="o">*</span><span class="p">,</span> <span class="n">content</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">source</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="sh">"""</span><span class="s">source is typically </span><span class="sh">'</span><span class="s">INPUT</span><span class="sh">'</span><span class="s"> or </span><span class="sh">'</span><span class="s">OUTPUT</span><span class="sh">'</span><span class="s">.</span><span class="sh">"""</span> <span class="k">raise</span> <span class="nb">NotImplementedError</span> <span class="k">def</span> <span class="nf">apply_guardrails</span><span class="p">(</span><span class="n">guardrails</span><span class="p">:</span> <span class="n">GuardrailsClient</span><span class="p">,</span> <span class="n">payload</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">],</span> <span class="n">source</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">tuple</span><span class="p">[</span><span class="nb">str</span> <span class="o">|</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">],</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]]:</span> <span class="n">is_structured</span> <span class="o">=</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="nb">dict</span><span class="p">)</span> <span class="n">text</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span> <span class="k">if</span> <span class="n">is_structured</span> <span class="k">else</span> <span class="n">payload</span> <span class="n">resp</span> <span class="o">=</span> <span class="n">guardrails</span><span class="p">.</span><span class="nf">apply</span><span class="p">(</span><span class="n">content</span><span class="o">=</span><span class="n">text</span><span class="p">,</span> <span class="n">source</span><span class="o">=</span><span class="n">source</span><span class="p">)</span> <span class="c1"># Generic interpretation of a guardrails response </span> <span class="n">action</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">resp</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">NONE</span><span class="sh">"</span><span class="p">)).</span><span class="nf">upper</span><span class="p">()</span> <span class="n">filtered</span> <span class="o">=</span> <span class="n">resp</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">filtered_content</span><span class="sh">"</span><span class="p">,</span> <span class="n">text</span><span class="p">)</span> <span class="n">intervened</span> <span class="o">=</span> <span class="n">action</span> <span class="ow">in</span> <span class="p">{</span><span class="sh">"</span><span class="s">BLOCK</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">INTERVENED</span><span class="sh">"</span><span class="p">}</span> <span class="n">resp</span><span class="p">[</span><span class="sh">"</span><span class="s">intervened</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">intervened</span> <span class="k">if</span> <span class="n">is_structured</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">return</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">filtered</span><span class="p">),</span> <span class="n">resp</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">raw_output</span><span class="sh">"</span><span class="p">:</span> <span class="n">filtered</span><span class="p">},</span> <span class="n">resp</span> <span class="k">return</span> <span class="n">filtered</span><span class="p">,</span> <span class="n">resp</span> </code></pre> </div> <p>Two practical tips:</p> <ul> <li>If guardrails intervene, return a <strong>safe, deterministic</strong> response (don’t ask the LLM to “explain the policy violation”).</li> <li>Run guardrails on <strong>tool outputs</strong> too if they can contain sensitive data.</li> </ul> <h3> Tool safety is guardrails + authorization </h3> <p>Guardrails can help with content risk, but tool safety requires:</p> <ul> <li>server-side authorization,</li> <li>immutable audit logs,</li> <li>strict budgets.</li> </ul> <p>Never rely on the model to “do the right thing.”</p> <h2> Verification: how you earn user trust </h2> <p>RAG agents gain adoption when users can <em>verify</em>.</p> <h3> Enforce “no citation → no claim” </h3> <p>A strong system rule:</p> <ul> <li>If the agent can’t cite a source for a statement, it must label it as uncertainty or ask a follow-up.</li> </ul> <h3> Quote-first answering </h3> <p>A practical approach:</p> <ol> <li>extract supporting quotes from retrieved sources,</li> <li>write the answer in your own words,</li> <li>attach citations.</li> </ol> <p>This reduces hallucinations because the model is anchored to evidence.</p> <h3> Structured outputs for actions </h3> <p>When tools are involved, do not bury results inside prose.</p> <p>Use an explicit response contract:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"answer"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"citations"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="nl">"source_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"doc-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Refund Policy"</span><span class="p">,</span><span class="w"> </span><span class="nl">"section"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Eligibility"</span><span class="p">,</span><span class="w"> </span><span class="nl">"quote"</span><span class="p">:</span><span class="w"> </span><span class="s2">"..."</span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"actions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"create_ticket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"status"</span><span class="p">:</span><span class="w"> </span><span class="s2">"success"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ticket_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"INC-456"</span><span class="p">}</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"confidence"</span><span class="p">:</span><span class="w"> </span><span class="s2">"medium"</span><span class="p">,</span><span class="w"> </span><span class="nl">"follow_ups"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"What was the purchase date?"</span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>That contract makes downstream UX and testing much easier.</p> <h2> Evaluation + observability </h2> <p>If you can’t measure it, you’ll end up debating prompts.</p> <h3> What to log (minimum viable traces) </h3> <p>For each request, capture:</p> <ul> <li>rewritten search query (or queries),</li> <li>retrieval results (source IDs + scores),</li> <li>reranking results,</li> <li>final context length,</li> <li>tool calls (name + args hash + latency + status),</li> <li>guardrails action metadata,</li> <li>citations returned.</li> </ul> <p>This is how you answer: “Why did it say that?”</p> <h3> What to measure (starter metrics) </h3> <ul> <li> <strong>Citation coverage</strong>: % of answers with ≥1 citation</li> <li> <strong>Groundedness</strong>: evaluator score or “supported claims ratio”</li> <li> <strong>Retrieval precision</strong>: are top citations actually relevant?</li> <li> <strong>Escalation rate</strong>: how often the agent says “I don’t know” or hands off</li> <li> <strong>Tool failure rate</strong>: how often tool calls fail/time out</li> <li> <strong>Latency</strong>: p50/p95 end-to-end and retrieval/tool breakdown</li> </ul> <h3> Offline evaluation set </h3> <p>Build a small eval dataset (even 50–200 questions) with:</p> <ul> <li>expected source documents,</li> <li>disallowed sources,</li> <li>expected follow-up questions,</li> <li>red-team prompts for injection.</li> </ul> <p>Iterate retrieval first, then prompting.</p> <h2> A shipping checklist </h2> <p>If you want a pragmatic sequence that reduces risk:</p> <ol> <li> <strong>Ship RAG with citations</strong> (even if answers are short)</li> <li>Add <strong>hybrid retrieval + metadata filtering</strong> </li> <li>Add <strong>reranking</strong> if top‑k is noisy</li> <li>Add a <strong>context builder</strong> (dedupe + span extraction)</li> <li>Add <strong>guardrails</strong> (input + output)</li> <li>Add <strong>tool runner</strong> (allowlist + schema + authz)</li> <li>Add a <strong>tight agent loop</strong> (max 2–3 iterations)</li> <li>Add <strong>verification</strong> (no citation → no claim)</li> <li>Add <strong>tracing + offline evals</strong> </li> </ol> <p>This order helps you avoid “agent chaos” before your foundations are stable.</p> <h2> Closing thoughts </h2> <p>A RAG agent is best thought of as a <em>retrieval system with an LLM interface</em>—not the other way around.</p> <p>If you invest in retrieval quality, context building, tool safety, and verification, you get a system users trust.</p> <p>If you skip those and jump straight to “agent prompts,” you get a system that demos well and pages you at 2am.</p> <p><strong>About the Author</strong>: </p> <p>Written by Suraj Khaitan</p> <h2> — Gen AI Architect | Working on serverless AI &amp; cloud platforms. </h2> ai agents rag azure Suraj Khaitan Sat, 06 Dec 2025 14:47:37 +0000 https://dev.to/suraj_khaitan_f893c243958/i-built-100-gen-ai-agents-architecture-patterns-and-code-you-can-reuse-1o8c https://dev.to/suraj_khaitan_f893c243958/i-built-100-gen-ai-agents-architecture-patterns-and-code-you-can-reuse-1o8c <p>If you’ve tinkered with Gen AI agents, you know the gap between cool demos and dependable systems is big. This article distills what actually works when going from a single-script agent to production-ready, multi-agent pipelines. It’s based on reusable patterns from typical agent service modules and use-case templates, adapted into generic snippets you can copy into your own stack.</p> <p>Note: This is a vendor-agnostic, client-agnostic write-up. No company-specific details. All code is illustrative and production-friendly.</p> <p>Why Agentic Architectures Matter<br> Autonomy without chaos: Agents plan, act, and reflect, but need guardrails.<br> Tool use is essential: Real utility comes from reliable integration with data, APIs, storage, and retrieval.<br> Memory and context: Short-term scratchpads plus durable episode/task memory improve success rates.<br> Orchestration beats monoliths: Separate concerns (planning, execution, observation, correction).<br> A Minimal Agent: Plan–Act–Observe–Reflect<br> This skeleton shows a single agent loop that plans, executes tools, observes results, and reflects to update its strategy.</p> <p>from typing import Callable, Dict, Any, List</p> <p>class Tool:<br> def <strong>init</strong>(self, name: str, runner: Callable[[Dict[str, Any]], Dict[str, Any]]):<br> self.name = name<br> self.run = runner</p> <p>class Memory:<br> def <strong>init</strong>(self):<br> self.events: List[Dict[str, Any]] = []</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def add(self, event: Dict[str, Any]): self.events.append(event) def last(self, n: int = 5) -&gt; List[Dict[str, Any]]: return self.events[-n:] </code></pre> </div> <p>class Agent:<br> def <strong>init</strong>(self, planner: Callable[[str, List[Dict[str, Any]]], Dict[str, Any]],<br> reflector: Callable[[List[Dict[str, Any]]], str],<br> tools: Dict[str, Tool], memory: Memory):<br> self.planner = planner<br> self.reflector = reflector<br> self.tools = tools<br> self.memory = memory</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def step(self, goal: str) -&gt; Dict[str, Any]: plan = self.planner(goal, self.memory.last()) tool_name = plan.get("tool") args = plan.get("args", {}) result = self.tools.get(tool_name, Tool("noop", lambda _: {"error": "Unknown tool", "done": False})).run(args) event = {"goal": goal, "plan": plan, "result": result} self.memory.add(event) feedback = self.reflector(self.memory.last()) return {"event": event, "feedback": feedback} def run(self, goal: str, max_steps: int = 5) -&gt; List[Dict[str, Any]]: trace = [] for _ in range(max_steps): trace.append(self.step(goal)) if trace[-1]["event"]["result"].get("done"): break return trace </code></pre> </div> <p>Key idea: keep the loop simple and pure. Inject model/planner/reflector functions rather than hard-coding vendor calls.</p> <p>Tools: Keep Interfaces Consistent<br> from typing import Dict, Any</p> <p>def search_tool(params: Dict[str, Any]) -&gt; Dict[str, Any]:<br> query = params.get("query", "")<br> # Replace with your search implementation (API, vector DB, etc.)<br> return {"items": [f"Result for: {query}"], "done": False}</p> <p>def write_file_tool(params: Dict[str, Any]) -&gt; Dict[str, Any]:<br> path = params.get("path")<br> content = params.get("content", "")<br> if not path:<br> return {"error": "Missing path", "done": False}<br> try:<br> with open(path, "w", encoding="utf-8") as f:<br> f.write(content)<br> return {"ok": True, "done": True}<br> except Exception as e:<br> return {"error": str(e), "done": False}<br> Plugging in LLMs for Planning and Reflection<br> Use any LLM provider. The important part is contract shape.</p> <p>from typing import List, Dict, Any</p> <p>def planner_llm(goal: str, recent_events: List[Dict[str, Any]]) -&gt; Dict[str, Any]:<br> # Prompt craft is omitted; produce tool + args plan<br> # Simple heuristic plan (replace with LLM call)<br> if "write" in goal.lower():<br> return {"tool": "write_file", "args": {"path": "output.txt", "content": goal}}<br> return {"tool": "search", "args": {"query": goal}}</p> <p>def reflector_llm(recent_events: List[Dict[str, Any]]) -&gt; str:<br> # Summarize last results and propose improvements<br> return f"Reflect: {len(recent_events)} events processed. Consider narrowing the query or validating outputs."<br> Wire It Up<br> from agent_loop import Agent, Memory, Tool<br> from tools import search_tool, write_file_tool<br> from llm_adapters import planner_llm, reflector_llm</p> <p>def build_agent() -&gt; Agent:<br> tools = {<br> "search": Tool("search", search_tool),<br> "write_file": Tool("write_file", write_file_tool),<br> }<br> memory = Memory()<br> return Agent(planner_llm, reflector_llm, tools, memory)</p> <p>if <strong>name</strong> == "<strong>main</strong>":<br> agent = build_agent()<br> trace = agent.run("Write a short note about agent patterns", max_steps=3)<br> for t in trace:<br> print(t)<br> Multi-Agent Pattern: Coordinator + Specialists<br> When tasks are complex, split into roles: Planner, Researcher, Implementer, Reviewer. The coordinator decomposes, routes, and reconciles.</p> <p>from typing import Dict, Any, List<br> from agent_loop import Agent, Memory</p> <p>class Coordinator:<br> def <strong>init</strong>(self, agents: Dict[str, Agent]):<br> self.agents = agents</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>def run(self, goal: str) -&gt; List[Dict[str, Any]]: # naive decomposition; replace with LLM planner subtasks = [ {"role": "researcher", "goal": f"Find info: {goal}"}, {"role": "implementer", "goal": f"Draft output for: {goal}"}, {"role": "reviewer", "goal": f"Check draft for: {goal}"}, ] trace = [] for st in subtasks: agent = self.agents.get(st["role"]) or self.agents.get("implementer") trace.append(agent.run(st["goal"], max_steps=2)) return trace </code></pre> </div> <p>def make_specialist(planner, reflector, tools) -&gt; Agent:<br> return Agent(planner, reflector, tools, Memory())<br> Use Case Templates<br> Your codebase’s templates often include:</p> <p>RAG agents: Retrieval-Augmented Generation using chunking, embeddings, and retrievers.<br> ReAct agents: Emphasizing step-by-step reasoning and tool use.<br> Text extraction agents: Focused on parsing documents and transforming unstructured data.<br> Example: a generic RAG tool for an agent.</p> <p>from typing import Dict, Any, List</p> <p>def rag_query(params: Dict[str, Any]) -&gt; Dict[str, Any]:<br> question = params.get("question", "")<br> # Plug in your embedder, vector store, and reader components<br> # docs = retriever.search(question)<br> # answer = reader.synthesize(question, docs)<br> docs: List[str] = ["Doc A", "Doc B"]<br> answer = f"Answer synthesized for: {question} using {len(docs)} docs"<br> return {"answer": answer, "sources": docs, "done": True}<br> Then mount it as a tool:</p> <p>from agent_loop import Agent, Memory, Tool<br> from llm_adapters import planner_llm, reflector_llm<br> from simple_rag_tool import rag_query</p> <p>tools = {"rag": Tool("rag", rag_query)}<br> agent = Agent(planner_llm, reflector_llm, tools, Memory())<br> trace = agent.run("What is agentic RAG?", max_steps=1)<br> Guardrails and Safety<br> Input validation on tools (types, ranges, allowlists).<br> Sandboxed execution for file/network operations.<br> Rate limiting and circuit breakers for external APIs.<br> Observability: structured logs and traces per agent step.<br> Testing Strategy<br> Test agents like workflows:</p> <p>Unit-test tools with deterministic inputs/outputs.<br> Mock LLM planners/reflectors to stabilize tests.<br> Scenario tests for end-to-end goals (success criteria + timeouts).<br> from agent_loop import Agent, Memory, Tool</p> <p>def planner_stub(goal, _):<br> return {"tool": "echo", "args": {"text": goal}}</p> <p>def reflector_stub(_):<br> return "reflect"</p> <p>def echo_tool(params):<br> return {"echo": params.get("text", ""), "done": True}</p> <p>def test_agent_runs_one_step():<br> tools = {"echo": Tool("echo", echo_tool)}<br> agent = Agent(planner_stub, reflector_stub, tools, Memory())<br> trace = agent.run("hello", max_steps=3)<br> assert trace[-1]["event"]["result"].get("done") is True<br> Deployment Tips<br> Package agents as stateless workers with externalized memory (DB/object store).<br> Use queues for long-running tasks; record step traces for resumability.<br> Keep prompts modular and versioned; migrate gradually.<br> Wrap-Up<br> Agentic systems shine when you architect for reliability, testability, and observability. Start with a clean loop, consistent tool interfaces, memory separation, and optional multi-agent coordination. Then plug in your LLM vendor and domain-specific tools. Template folders for agents (e.g., foundation, RAG, text extraction) are a solid foundation you can adapt.</p> <p>10 Open-Source Agent Projects to Explore<br> Here are widely used, open-source agent frameworks and projects you can learn from and adapt. Each highlights different patterns: planning, tool use, multi-agent collaboration, memory, and orchestration.</p> <p>Auto-GPT — Autonomous task-driven agent built on GPT models; showcases long-horizon planning and tool use. Link: <a href="https://github.com/Significant-Gravitas/AutoGPT" rel="noopener noreferrer">https://github.com/Significant-Gravitas/AutoGPT</a><br> BabyAGI — Lightweight task management loop (create, prioritize, execute) with vector memory; great for understanding minimal agent cycles. Link: <a href="https://github.com/yoheinakajima/babyagi" rel="noopener noreferrer">https://github.com/yoheinakajima/babyagi</a><br> Microsoft AutoGen — Framework for multi-agent conversations and collaboration with tooling and customization; strong for role-based agent teams. Link: <a href="https://github.com/microsoft/autogen" rel="noopener noreferrer">https://github.com/microsoft/autogen</a><br> CrewAI — Python framework for multi-agent workflows with roles, tools, and processes; emphasizes structured collaboration. Link: <a href="https://github.com/joaomdmoura/crewai" rel="noopener noreferrer">https://github.com/joaomdmoura/crewai</a><br> LangGraph — Graph-based orchestration for agent loops, memory, and control; ideal for building reliable, inspectable agent pipelines. Link: <a href="https://github.com/langchain-ai/langgraph" rel="noopener noreferrer">https://github.com/langchain-ai/langgraph</a><br> LangChain Agents — Tool-using agents with planners, executors, and memory; integrates with a vast ecosystem of tools and vector DBs. Link: <a href="https://python.langchain.com/docs/modules/agents" rel="noopener noreferrer">https://python.langchain.com/docs/modules/agents</a><br> OpenAI Agents SDK — Defines agents with tools and resources and handles orchestration; useful for standardized tool schemas and governance. Link: <a href="https://github.com/openai/openai-agents-python" rel="noopener noreferrer">https://github.com/openai/openai-agents-python</a><br> CAMEL — Role-playing multi-agent framework with task decomposition and negotiation; useful for research on collaboration dynamics. Link: <a href="https://github.com/camel-ai/camel" rel="noopener noreferrer">https://github.com/camel-ai/camel</a><br> AgentGPT (Web) — Browser-based autonomous agent setup for quick experiments; helpful to visualize prompts and iterative action loops. Link: <a href="https://github.com/reworkd/AgentGPT" rel="noopener noreferrer">https://github.com/reworkd/AgentGPT</a><br> ReAct Pattern Implementations — Combines reasoning traces with tool actions; many open implementations to learn prompt design and action validation. Link: <a href="https://arxiv.org/abs/2210.03629" rel="noopener noreferrer">https://arxiv.org/abs/2210.03629</a><br> Use these as references to pressure-test your design choices: planning reliability, tool APIs, memory schema, observability, and recovery strategies.</p> <p>About the Author<br> Written by Suraj Khaitan — Gen AI Architect | Working on serverless AI &amp; cloud platforms.</p> ai agents mcp agentaichallenge Suraj Khaitan Sun, 30 Nov 2025 14:14:19 +0000 https://dev.to/suraj_khaitan_f893c243958/from-static-docs-to-living-knowledge-building-an-sts-aware-retrieval-augmented-agent-backend-dng https://dev.to/suraj_khaitan_f893c243958/from-static-docs-to-living-knowledge-building-an-sts-aware-retrieval-augmented-agent-backend-dng <p>We’ve all seen impressive GenAI demos. Yet, in day‑to‑day engineering, the questions are softer but more real: How do we keep answers trustworthy? How do we respect access boundaries without slowing teams down? This article offers a practical, human‑centered path—from raw documents and images to a secure, explainable knowledge layer—powered by session‑aware authorization (STS) and a simple agent + tools pattern.</p> <p>Tone and structure are inspired by thoughtful architecture writing like “Architecture of AI‑Driven Systems” on Python Plain English, focusing on clarity, trade‑offs, and gentle guidance rather than hype.</p> <h2> Why This Matters </h2> <ul> <li>RAG without authorization is a liability. Enterprise data needs session‑scoped controls, revocation, and auditability.</li> <li>Accuracy is not enough; answers must be explainable and reproducible across versions.</li> <li>Multimodal inputs (PDFs, images) require consistent ingestion and normalization before indexing.</li> </ul> <h2> Architecture Snapshot </h2> <ul> <li>Knowledge Base Services: ingestion, chunking, embedding, indexing (vector + graph), retrieval, and an STS manager for authorization.</li> <li>Agent Services: an agent wrapper orchestrates LLMs, tools, and guardrails; file upload and history modules support UX continuity.</li> <li>Tool Services: domain tools (retriever, SQL, custom) invoked by agents.</li> </ul> <p>Flow: Upload → Initialize → Read/Image2Text → Chunk → Embed → Index (Vector + Graph) → Retrieve → STS Filter → Agent Compose → Response with citations.</p> <h2> RAG Architecture : </h2> <p>![RAG Architecture]<br> ![ ](<a href="https://dev-to-uploads.s3.amazonaws.com/uploads/articles/skbtam21zt7piw76ey6f.png" rel="noopener noreferrer">https://dev-to-uploads.s3.amazonaws.com/uploads/articles/skbtam21zt7piw76ey6f.png</a></p> <h2> Multimodal Ingestion </h2> <p>Key components:</p> <ul> <li>Reading: parse PDFs/text, normalize content, attach metadata (doc_id, page).</li> <li>Image‑to‑Text: extract text from images, unify format.</li> <li>Initialization: bootstraps pipelines, configs, and version stamps.</li> </ul> <p>Design tips:</p> <ul> <li>Normalize MIME and metadata early; downstream pipelines assume clean structure.</li> <li>Batch I/O with retries; track ingestion version to reproduce embeddings.</li> </ul> <h2> Smart Chunking for Better Retrieval </h2> <ul> <li>Chunking: semantic and rule‑based chunkers.</li> <li>Keep chunks small enough for LLM context but rich in metadata (section, page, hierarchy).</li> <li>Add relationship edges to support graph queries (e.g., section→subsection).</li> </ul> <h2> Embeddings + Dual Indexes </h2> <ul> <li>Embeddings: choose model, normalize vectors, stamp versions.</li> <li>Vector Indexing: push to a vector store for semantic search.</li> <li>Graph Indexing: persist relationships and provenance.</li> </ul> <p>Why two indexes?</p> <ul> <li>Vector search finds semantically related content.</li> <li>Graph retrieves lineage and context (citations, related sections), improving explainability.</li> </ul> <h2> Retrieval Orchestration </h2> <ul> <li>Vector and Graph Retrievers: specialized retrievers.</li> <li>Hybrid Retrieval Orchestrator: fuses results from both stores.</li> </ul> <p>Pattern:</p> <ol> <li>Try semantic (vector) for recall.</li> <li>Expand via graph for context and provenance.</li> <li>Fuse, rank, and return with metadata for STS filtering.</li> </ol> <h2> STS‑Aware Authorization </h2> <ul> <li>STS Manager: resolves session→permissions, applies policies, and filters retrieval candidates.</li> <li>Enforce authorization before the agent composes answers; never let tools see disallowed content.</li> </ul> <p>Benefits:</p> <ul> <li>Session‑scoped access, policy revocation, and audit trails.</li> <li>Prevents prompt injection using forbidden context.</li> </ul> <h2> Agents + Tools: The Execution Layer </h2> <ul> <li>Agent Wrapper: wires LLM prompts, tools, and guardrails; manages tool selection.</li> <li>Tools: retriever and SQL tools for controlled data access.</li> <li>Compose answers with citations sourced from graph metadata.</li> </ul> <p>Execution pattern:</p> <ul> <li>Agent decides → Tool executes → STS filters → Agent composes → Return answer + sources.</li> </ul> <h2> Observability, Versioning, and Deletion </h2> <ul> <li> <code>knowledge_base_services/deletion/</code>: right‑to‑be‑forgotten and data lifecycle.</li> <li> <code>agent_services/history_services/</code>: conversational trace for monitoring and explainability.</li> <li>Index/embedding version stamps to reproduce runs.</li> </ul> <h2> Example Flow (Generic Pseudo‑Code) </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># 1) Ingest + Normalize </span><span class="n">content_items</span> <span class="o">=</span> <span class="n">reading</span><span class="p">.</span><span class="nf">read_batch</span><span class="p">(</span><span class="n">files</span><span class="p">)</span> <span class="n">image_text</span> <span class="o">=</span> <span class="n">image_to_text</span><span class="p">.</span><span class="nf">extract</span><span class="p">(</span><span class="n">images</span><span class="p">)</span> <span class="n">normalized</span> <span class="o">=</span> <span class="n">initializer</span><span class="p">.</span><span class="nf">normalize</span><span class="p">(</span><span class="n">content_items</span> <span class="o">+</span> <span class="n">image_text</span><span class="p">)</span> <span class="c1"># 2) Chunk + Embed </span><span class="n">chunks</span> <span class="o">=</span> <span class="n">chunker</span><span class="p">.</span><span class="nf">semantic</span><span class="p">(</span><span class="n">normalized</span><span class="p">)</span> <span class="n">vecs</span> <span class="o">=</span> <span class="n">embedder</span><span class="p">.</span><span class="nf">batch_embed</span><span class="p">(</span><span class="n">chunks</span><span class="p">)</span> <span class="c1"># 3) Index (Vector + Graph) </span><span class="n">vector_index</span><span class="p">.</span><span class="nf">write</span><span class="p">(</span><span class="n">vecs</span><span class="p">,</span> <span class="n">chunks</span><span class="p">)</span> <span class="n">graph_index</span><span class="p">.</span><span class="nf">link</span><span class="p">(</span><span class="n">chunks</span><span class="p">,</span> <span class="n">relations</span><span class="o">=</span><span class="p">...)</span> <span class="c1"># 4) Retrieve with STS filter </span><span class="n">candidates</span> <span class="o">=</span> <span class="n">hybrid_retriever</span><span class="p">.</span><span class="nf">search</span><span class="p">(</span><span class="n">query</span><span class="p">,</span> <span class="n">k</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="n">authorized</span> <span class="o">=</span> <span class="n">sts</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="n">session</span><span class="p">,</span> <span class="n">candidates</span><span class="p">)</span> <span class="c1"># 5) Agent + Tools compose </span><span class="n">answer</span> <span class="o">=</span> <span class="n">agent</span><span class="p">.</span><span class="nf">run</span><span class="p">(</span> <span class="n">query</span><span class="o">=</span><span class="n">query</span><span class="p">,</span> <span class="n">tools</span><span class="o">=</span><span class="p">[</span><span class="n">retriever_tool</span><span class="p">,</span> <span class="n">sql_tool</span><span class="p">],</span> <span class="n">context</span><span class="o">=</span><span class="n">authorized</span><span class="p">,</span> <span class="n">with_citations</span><span class="o">=</span><span class="bp">True</span> <span class="p">)</span> </code></pre> </div> <p>Gentle guidance: keep module names and interfaces simple. Start with clear, testable boundaries—ingest, chunk, embed, index, retrieve, filter, compose—and iterate. Good names reduce cognitive load and make onboarding kinder.</p> <h2> What to Showcase in the Post </h2> <ul> <li>Ingestion dispatch by MIME and metadata (reading, image‑to‑text, initialization).</li> <li>Semantic chunker attaching rich metadata (chunking).</li> <li>Batched embeddings + vector indexing with versioned names (embeddings, vector index).</li> <li>Hybrid retrieval orchestrator with fusion and fallbacks (vector retriever, graph retriever).</li> <li>STS filter gating results before agent sees them (STS manager).</li> <li>Agent tool wiring and citation composition (agent wrapper, tools).</li> </ul> <h2> Benchmarks and Learnings </h2> <ul> <li>Track latency across stages: ingestion, embedding, indexing, retrieval, STS filtering, agent composition.</li> <li>Measure precision@k and citation correctness.</li> <li>Common pitfalls: over‑aggressive chunking, stale embeddings after content updates, authorization drift.</li> </ul> <h2> Quick Demo Hooks </h2> <p>Consider adding a minimal script that:</p> <ul> <li>Loads a sample doc + image.</li> <li>Runs ingestion→chunk→embed→index.</li> <li>Executes a hybrid retrieval for a test query.</li> <li>Applies STS filter for two different sessions.</li> <li>Prints answer with citations and filtered item counts.</li> </ul> <p>Optional starting point:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create a tiny virtual environment and run the demo</span> python <span class="nt">-m</span> venv .venv<span class="p">;</span> .<span class="se">\.</span>venv<span class="se">\S</span>cripts<span class="se">\A</span>ctivate.ps1 python demo/sts_rag_demo.py </code></pre> </div> <h2> Closing Checklist for Enterprise‑Grade RAG </h2> <ul> <li>Ingestion discipline with consistent metadata.</li> <li>Chunking strategy matched to content structure.</li> <li>Dual index (vector + graph) for recall + explainability.</li> <li>Retrieval orchestration with fusion and fallbacks.</li> <li>STS enforcement before agent composition.</li> <li>Observability: versions, histories, and deletion paths.</li> </ul> <h2> About the Author </h2> <p>Written by Suraj Khaitan<br> — Gen AI Architect | Working on serverless AI &amp; cloud platforms.</p> ai rag aws python Suraj Khaitan Sat, 22 Nov 2025 03:49:49 +0000 https://dev.to/suraj_khaitan_f893c243958/the-ultimate-guide-to-intelligent-document-parsing-building-a-universal-file-reader-system-4ojo https://dev.to/suraj_khaitan_f893c243958/the-ultimate-guide-to-intelligent-document-parsing-building-a-universal-file-reader-system-4ojo <p><em>How to extract meaningful data from PDFs, Excel sheets, images, and 10+ file formats using smart parsing strategies</em></p> <h2> The Document Processing Dilemma </h2> <p>Picture this: Your application needs to process documents. Sounds simple, right? But here's the catch—documents come in countless formats: PDFs, Word files, Excel spreadsheets, PowerPoint presentations, images, HTML, JSON, XML, and more. Each format has its own quirks, structure, and extraction challenges.</p> <p>Traditional solutions often involve cobbling together different libraries, writing repetitive code, and dealing with edge cases for each file type. What if there was a better way?</p> <p>In this article, I'll show you how to build an extensible, production-ready document parsing system that handles 10+ file formats with a unified interface, supports both native extraction and OCR processing, and scales to handle millions of documents.</p> <h2> 🎯 The Architecture: Three Key Principles </h2> <h3> 1. <strong>Abstraction Through Base Classes</strong> </h3> <p>The foundation of any great parsing system is a well-designed abstraction layer. Instead of writing separate logic for each file type, we create a <code>BaseReader</code> class that defines the common interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">BaseReader</span><span class="p">(</span><span class="n">ABC</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Abstract base class for all document readers</span><span class="sh">"""</span> <span class="c1"># File type categories </span> <span class="n">OCR_ONLY_EXTENSIONS</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">.png</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.jpg</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.jpeg</span><span class="sh">"</span><span class="p">}</span> <span class="n">NATIVE_ONLY_EXTENSIONS</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">.csv</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.xlsx</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.xls</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.json</span><span class="sh">"</span><span class="p">}</span> <span class="n">HYBRID_EXTENSIONS</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">.pdf</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.docx</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.doc</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.pptx</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.ppt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.txt</span><span class="sh">"</span><span class="p">}</span> <span class="nd">@abstractmethod</span> <span class="k">def</span> <span class="nf">extract_content</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">IntermediateModel</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Extract content from the document</span><span class="sh">"""</span> <span class="k">pass</span> <span class="k">def</span> <span class="nf">should_use_ocr</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Determine whether to use OCR based on file type</span><span class="sh">"""</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">file_type</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">OCR_ONLY_EXTENSIONS</span><span class="p">:</span> <span class="k">return</span> <span class="bp">True</span> <span class="k">elif</span> <span class="n">self</span><span class="p">.</span><span class="n">file_type</span> <span class="ow">in</span> <span class="n">self</span><span class="p">.</span><span class="n">NATIVE_ONLY_EXTENSIONS</span><span class="p">:</span> <span class="k">return</span> <span class="bp">False</span> <span class="k">else</span><span class="p">:</span> <span class="c1"># HYBRID_EXTENSIONS </span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">processing_config</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">optical_recognition</span><span class="sh">"</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span> </code></pre> </div> <p><strong>Why this matters:</strong> This design pattern allows each file type to implement its own extraction logic while maintaining a consistent interface. Adding support for a new file format? Just create a new reader class that inherits from <code>BaseReader</code>.</p> <h3> 2. <strong>Dual Processing Modes: Native vs OCR</strong> </h3> <p>Different documents require different extraction approaches:</p> <ul> <li> <strong>Native Processing</strong>: Direct content extraction using format-specific libraries (fast, preserves structure)</li> <li> <strong>OCR Processing</strong>: Optical Character Recognition for scanned documents or images (slower, handles visual content)</li> </ul> <p>Our system intelligently chooses the right approach:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">get_reader_for_file</span><span class="p">(</span><span class="n">file_data</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">processing_config</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">BaseReader</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Return the appropriate reader instance for the file type</span><span class="sh">"""</span> <span class="n">file_type</span> <span class="o">=</span> <span class="n">file_data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">file_type</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">).</span><span class="nf">lower</span><span class="p">()</span> <span class="k">if</span> <span class="n">file_type</span> <span class="o">==</span> <span class="sh">"</span><span class="s">.pdf</span><span class="sh">"</span><span class="p">:</span> <span class="k">return</span> <span class="nc">PDFReader</span><span class="p">(</span><span class="n">file_data</span><span class="p">,</span> <span class="n">processing_config</span><span class="p">)</span> <span class="k">elif</span> <span class="n">file_type</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">"</span><span class="s">.txt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.xml</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.html</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.json</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.csv</span><span class="sh">"</span><span class="p">]:</span> <span class="k">return</span> <span class="nc">TextReader</span><span class="p">(</span><span class="n">file_data</span><span class="p">,</span> <span class="n">processing_config</span><span class="p">)</span> <span class="k">elif</span> <span class="n">file_type</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">"</span><span class="s">.xlsx</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.xls</span><span class="sh">"</span><span class="p">]:</span> <span class="k">return</span> <span class="nc">ExcelReader</span><span class="p">(</span><span class="n">file_data</span><span class="p">,</span> <span class="n">processing_config</span><span class="p">)</span> <span class="k">elif</span> <span class="n">file_type</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">"</span><span class="s">.png</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.jpg</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.jpeg</span><span class="sh">"</span><span class="p">]:</span> <span class="k">return</span> <span class="nc">ImageReader</span><span class="p">(</span><span class="n">file_data</span><span class="p">,</span> <span class="n">processing_config</span><span class="p">)</span> <span class="k">elif</span> <span class="n">file_type</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">"</span><span class="s">.ppt</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.pptx</span><span class="sh">"</span><span class="p">]:</span> <span class="k">return</span> <span class="nc">PresentationReader</span><span class="p">(</span><span class="n">file_data</span><span class="p">,</span> <span class="n">processing_config</span><span class="p">)</span> <span class="k">elif</span> <span class="n">file_type</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">"</span><span class="s">.doc</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">.docx</span><span class="sh">"</span><span class="p">]:</span> <span class="k">return</span> <span class="nc">WordReader</span><span class="p">(</span><span class="n">file_data</span><span class="p">,</span> <span class="n">processing_config</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">ValueError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Unsupported file type: </span><span class="si">{</span><span class="n">file_type</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 3. <strong>Standardized Output Format</strong> </h3> <p>Regardless of input format, all readers output a consistent <code>IntermediateModel</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">intermediate_model</span> <span class="o">=</span> <span class="nc">IntermediateModel</span><span class="p">(</span> <span class="n">file_id</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">file_id</span><span class="p">,</span> <span class="n">file_name</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">file_name</span><span class="p">,</span> <span class="n">file_url</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">file_url</span><span class="p">,</span> <span class="n">file_type</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">file_type</span><span class="p">,</span> <span class="n">kb_id</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">kb_id</span><span class="p">,</span> <span class="n">content</span><span class="o">=</span><span class="n">content</span> <span class="c1"># Structured content dictionary </span><span class="p">)</span> </code></pre> </div> <p>This standardization makes downstream processing (chunking, indexing, searching) incredibly simple.</p> <h2> 📄 Deep Dive: Format-Specific Strategies </h2> <h3> <strong>PDF Processing: The Hybrid Approach</strong> </h3> <p>PDFs are tricky because they can contain both machine-readable text and scanned images. Our <code>PDFReader</code> handles both scenarios:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">PDFReader</span><span class="p">(</span><span class="n">BaseReader</span><span class="p">):</span> <span class="k">def</span> <span class="nf">extract_content</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">IntermediateModel</span><span class="p">:</span> <span class="n">use_ocr</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">should_use_ocr</span><span class="p">()</span> <span class="n">extract_images</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="n">processing_config</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">image_2_text</span><span class="sh">"</span><span class="p">,</span> <span class="bp">False</span><span class="p">)</span> <span class="k">if</span> <span class="n">use_ocr</span><span class="p">:</span> <span class="n">content</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_extract_with_ocr</span><span class="p">()</span> <span class="c1"># AWS Textract </span> <span class="k">else</span><span class="p">:</span> <span class="n">content</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_extract_native</span><span class="p">()</span> <span class="c1"># PyPDF2/pdfplumber </span> <span class="k">if</span> <span class="n">extract_images</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="nf">_extract_and_save_images</span><span class="p">(</span><span class="n">content</span><span class="p">)</span> <span class="c1"># PyMuPDF </span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="nf">_build_intermediate_model</span><span class="p">(</span><span class="n">content</span><span class="p">)</span> </code></pre> </div> <p><strong>Native extraction</strong> using PyPDF2 is lightning-fast for text-based PDFs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_extract_native</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">local_file_path</span><span class="p">,</span> <span class="sh">"</span><span class="s">rb</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="nb">file</span><span class="p">:</span> <span class="n">pdf_reader</span> <span class="o">=</span> <span class="nc">PdfReader</span><span class="p">(</span><span class="nb">file</span><span class="p">)</span> <span class="n">content</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">page_num</span><span class="p">,</span> <span class="n">page</span> <span class="ow">in</span> <span class="nf">enumerate</span><span class="p">(</span><span class="n">pdf_reader</span><span class="p">.</span><span class="n">pages</span><span class="p">):</span> <span class="n">page_text</span> <span class="o">=</span> <span class="n">page</span><span class="p">.</span><span class="nf">extract_text</span><span class="p">()</span> <span class="n">content</span><span class="p">[</span><span class="sa">f</span><span class="sh">"</span><span class="s">page_</span><span class="si">{</span><span class="n">page_num</span><span class="si">}</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">page_text</span><span class="p">.</span><span class="nf">strip</span><span class="p">(),</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">pdf_page</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">page_number</span><span class="sh">"</span><span class="p">:</span> <span class="n">page_num</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">images</span><span class="sh">"</span><span class="p">:</span> <span class="p">[]</span> <span class="p">}</span> <span class="k">return</span> <span class="n">content</span> </code></pre> </div> <p><strong>Pro tip:</strong> For PDFs with embedded images or complex layouts, OCR processing with AWS Textract provides superior results, detecting tables, forms, and relationships between elements.</p> <h3> <strong>Excel &amp; Spreadsheets: Preserving Structure</strong> </h3> <p>Excel files contain structured data that must be preserved. Our <code>ExcelReader</code> uses <code>openpyxl</code> to maintain the table structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">ExcelReader</span><span class="p">(</span><span class="n">BaseReader</span><span class="p">):</span> <span class="k">def</span> <span class="nf">_process_worksheet</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">worksheet</span><span class="p">,</span> <span class="n">sheet_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="c1"># Extract with table structure </span> <span class="n">rows_data</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">row</span> <span class="ow">in</span> <span class="n">worksheet</span><span class="p">.</span><span class="nf">iter_rows</span><span class="p">(</span><span class="n">values_only</span><span class="o">=</span><span class="bp">True</span><span class="p">):</span> <span class="n">row_values</span> <span class="o">=</span> <span class="p">[</span><span class="nf">str</span><span class="p">(</span><span class="n">cell</span><span class="p">)</span> <span class="k">if</span> <span class="n">cell</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> <span class="k">else</span> <span class="sh">""</span> <span class="k">for</span> <span class="n">cell</span> <span class="ow">in</span> <span class="n">row</span><span class="p">]</span> <span class="k">if</span> <span class="nf">any</span><span class="p">(</span><span class="n">row_values</span><span class="p">):</span> <span class="c1"># Skip empty rows </span> <span class="n">rows_data</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">row_values</span><span class="p">)</span> <span class="c1"># Format as structured text </span> <span class="n">text_content</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_format_table_as_text</span><span class="p">(</span><span class="n">rows_data</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">text_content</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">excel_sheet</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sheet_name</span><span class="sh">"</span><span class="p">:</span> <span class="n">sheet_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">row_count</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">rows_data</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key insight:</strong> Converting tabular data to readable text format makes it searchable while preserving the relationship between cells.</p> <h3> <strong>Images: OCR is Your Best Friend</strong> </h3> <p>Images require OCR processing since there's no native text to extract. Our <code>ImageReader</code> leverages AWS Textract:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">ImageReader</span><span class="p">(</span><span class="n">BaseReader</span><span class="p">):</span> <span class="k">def</span> <span class="nf">_extract_with_textract</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">textract</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">textract</span><span class="sh">"</span><span class="p">)</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">local_file_path</span><span class="p">,</span> <span class="sh">"</span><span class="s">rb</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="nb">file</span><span class="p">:</span> <span class="n">image_bytes</span> <span class="o">=</span> <span class="nb">file</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="c1"># Call Textract to detect text </span> <span class="n">response</span> <span class="o">=</span> <span class="n">textract</span><span class="p">.</span><span class="nf">detect_document_text</span><span class="p">(</span> <span class="n">Document</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">Bytes</span><span class="sh">"</span><span class="p">:</span> <span class="n">image_bytes</span><span class="p">}</span> <span class="p">)</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="nf">_process_textract_response</span><span class="p">(</span><span class="n">response</span><span class="p">)</span> <span class="k">def</span> <span class="nf">_process_textract_response</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">response</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="c1"># Extract lines and words from Textract response </span> <span class="n">lines</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">block</span> <span class="ow">in</span> <span class="n">response</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">Blocks</span><span class="sh">"</span><span class="p">,</span> <span class="p">[]):</span> <span class="k">if</span> <span class="n">block</span><span class="p">[</span><span class="sh">"</span><span class="s">BlockType</span><span class="sh">"</span><span class="p">]</span> <span class="o">==</span> <span class="sh">"</span><span class="s">LINE</span><span class="sh">"</span><span class="p">:</span> <span class="n">lines</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">block</span><span class="p">[</span><span class="sh">"</span><span class="s">Text</span><span class="sh">"</span><span class="p">])</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">page_0</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="se">\n</span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">lines</span><span class="p">),</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">image</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ocr_status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Best practice:</strong> Always implement file size checks—Textract has a 10MB limit for synchronous calls. For larger files, use asynchronous processing.</p> <h3> <strong>Word Documents: Handle Both .docx and Legacy .doc</strong> </h3> <p>Modern <code>.docx</code> files use <code>python-docx</code> for native extraction, while legacy <code>.doc</code> files require OCR:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">WordReader</span><span class="p">(</span><span class="n">BaseReader</span><span class="p">):</span> <span class="k">def</span> <span class="nf">extract_content</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">IntermediateModel</span><span class="p">:</span> <span class="n">use_ocr</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">should_use_ocr</span><span class="p">()</span> <span class="k">if</span> <span class="n">use_ocr</span><span class="p">:</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="nf">_extract_with_ocr</span><span class="p">()</span> <span class="k">else</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="nf">_extract_native</span><span class="p">()</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">file_type</span> <span class="o">==</span> <span class="sh">"</span><span class="s">.doc</span><span class="sh">"</span><span class="p">:</span> <span class="c1"># Legacy format not supported natively </span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="nf">_return_unsupported_status</span><span class="p">(</span> <span class="sh">"</span><span class="s">Enable OCR to process .doc files</span><span class="sh">"</span> <span class="p">)</span> <span class="k">raise</span> <span class="n">e</span> </code></pre> </div> <p>The native extraction preserves document structure including paragraphs, tables, and images:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_extract_native</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">doc</span> <span class="o">=</span> <span class="nc">Document</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">local_file_path</span><span class="p">)</span> <span class="n">content</span> <span class="o">=</span> <span class="p">{}</span> <span class="n">page_index</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">for</span> <span class="n">element</span> <span class="ow">in</span> <span class="n">doc</span><span class="p">.</span><span class="n">element</span><span class="p">.</span><span class="n">body</span><span class="p">:</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">element</span><span class="p">,</span> <span class="n">CT_P</span><span class="p">):</span> <span class="c1"># Paragraph </span> <span class="n">para</span> <span class="o">=</span> <span class="nc">Paragraph</span><span class="p">(</span><span class="n">element</span><span class="p">,</span> <span class="n">doc</span><span class="p">)</span> <span class="n">content</span><span class="p">[</span><span class="sa">f</span><span class="sh">"</span><span class="s">page_</span><span class="si">{</span><span class="n">page_index</span><span class="si">}</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">para</span><span class="p">.</span><span class="n">text</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">paragraph</span><span class="sh">"</span> <span class="p">}</span> <span class="k">elif</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">element</span><span class="p">,</span> <span class="n">CT_Tbl</span><span class="p">):</span> <span class="c1"># Table </span> <span class="n">table</span> <span class="o">=</span> <span class="nc">Table</span><span class="p">(</span><span class="n">element</span><span class="p">,</span> <span class="n">doc</span><span class="p">)</span> <span class="n">table_text</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_extract_table_text</span><span class="p">(</span><span class="n">table</span><span class="p">)</span> <span class="n">content</span><span class="p">[</span><span class="sa">f</span><span class="sh">"</span><span class="s">page_</span><span class="si">{</span><span class="n">page_index</span><span class="si">}</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">table_text</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">table</span><span class="sh">"</span> <span class="p">}</span> <span class="n">page_index</span> <span class="o">+=</span> <span class="mi">1</span> <span class="k">return</span> <span class="n">content</span> </code></pre> </div> <h3> <strong>PowerPoint: Extract Slides, Text, and Images</strong> </h3> <p>Presentations combine text, images, and structured layouts. Our <code>PresentationReader</code> handles all of it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">PresentationReader</span><span class="p">(</span><span class="n">BaseReader</span><span class="p">):</span> <span class="k">def</span> <span class="nf">_extract_native</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">prs</span> <span class="o">=</span> <span class="nc">Presentation</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">local_file_path</span><span class="p">)</span> <span class="n">content</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">for</span> <span class="n">slide_num</span><span class="p">,</span> <span class="n">slide</span> <span class="ow">in</span> <span class="nf">enumerate</span><span class="p">(</span><span class="n">prs</span><span class="p">.</span><span class="n">slides</span><span class="p">):</span> <span class="n">slide_content</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="sh">""</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">slide</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">slide_number</span><span class="sh">"</span><span class="p">:</span> <span class="n">slide_num</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">images</span><span class="sh">"</span><span class="p">:</span> <span class="p">[]</span> <span class="p">}</span> <span class="c1"># Extract text from all shapes </span> <span class="n">text_parts</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">shape</span> <span class="ow">in</span> <span class="n">slide</span><span class="p">.</span><span class="n">shapes</span><span class="p">:</span> <span class="k">if</span> <span class="nf">hasattr</span><span class="p">(</span><span class="n">shape</span><span class="p">,</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">):</span> <span class="n">text_parts</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">shape</span><span class="p">.</span><span class="n">text</span><span class="p">)</span> <span class="c1"># Handle tables </span> <span class="k">if</span> <span class="n">shape</span><span class="p">.</span><span class="n">shape_type</span> <span class="o">==</span> <span class="n">MSO_SHAPE_TYPE</span><span class="p">.</span><span class="n">TABLE</span><span class="p">:</span> <span class="n">table_text</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_extract_table_text</span><span class="p">(</span><span class="n">shape</span><span class="p">.</span><span class="n">table</span><span class="p">)</span> <span class="n">text_parts</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">table_text</span><span class="p">)</span> <span class="n">slide_content</span><span class="p">[</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="sh">"</span><span class="se">\n</span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">text_parts</span><span class="p">)</span> <span class="n">content</span><span class="p">[</span><span class="sa">f</span><span class="sh">"</span><span class="s">page_</span><span class="si">{</span><span class="n">slide_num</span><span class="si">}</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="n">slide_content</span> <span class="k">return</span> <span class="n">content</span> </code></pre> </div> <h3> <strong>Text-Based Formats: HTML, XML, JSON, CSV</strong> </h3> <p>For text-based formats, our <code>TextReader</code> uses built-in Python libraries to minimize dependencies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">TextReader</span><span class="p">(</span><span class="n">BaseReader</span><span class="p">):</span> <span class="k">def</span> <span class="nf">_extract_native</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="k">with</span> <span class="nf">open</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">local_file_path</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="nf">_detect_encoding</span><span class="p">())</span> <span class="k">as</span> <span class="nb">file</span><span class="p">:</span> <span class="n">raw_content</span> <span class="o">=</span> <span class="nb">file</span><span class="p">.</span><span class="nf">read</span><span class="p">()</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">file_type</span> <span class="o">==</span> <span class="sh">"</span><span class="s">.txt</span><span class="sh">"</span><span class="p">:</span> <span class="n">processed_text</span> <span class="o">=</span> <span class="n">raw_content</span> <span class="k">elif</span> <span class="n">self</span><span class="p">.</span><span class="n">file_type</span> <span class="o">==</span> <span class="sh">"</span><span class="s">.xml</span><span class="sh">"</span><span class="p">:</span> <span class="n">processed_text</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_process_xml</span><span class="p">(</span><span class="n">raw_content</span><span class="p">)</span> <span class="k">elif</span> <span class="n">self</span><span class="p">.</span><span class="n">file_type</span> <span class="o">==</span> <span class="sh">"</span><span class="s">.html</span><span class="sh">"</span><span class="p">:</span> <span class="n">processed_text</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_process_html</span><span class="p">(</span><span class="n">raw_content</span><span class="p">)</span> <span class="k">elif</span> <span class="n">self</span><span class="p">.</span><span class="n">file_type</span> <span class="o">==</span> <span class="sh">"</span><span class="s">.json</span><span class="sh">"</span><span class="p">:</span> <span class="n">processed_text</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_process_json</span><span class="p">(</span><span class="n">raw_content</span><span class="p">)</span> <span class="k">elif</span> <span class="n">self</span><span class="p">.</span><span class="n">file_type</span> <span class="o">==</span> <span class="sh">"</span><span class="s">.csv</span><span class="sh">"</span><span class="p">:</span> <span class="n">processed_text</span> <span class="o">=</span> <span class="n">self</span><span class="p">.</span><span class="nf">_process_csv</span><span class="p">(</span><span class="n">raw_content</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">page_0</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">processed_text</span><span class="p">,</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">file_type</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sh">"</span><span class="s">.</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>HTML extraction</strong> uses a custom parser to strip tags while preserving content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">HTMLTextExtractor</span><span class="p">(</span><span class="n">HTMLParser</span><span class="p">):</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">):</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">text_content</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">def</span> <span class="nf">handle_data</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">data</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">if</span> <span class="n">self</span><span class="p">.</span><span class="n">current_tag</span> <span class="ow">not</span> <span class="ow">in</span> <span class="p">[</span><span class="sh">"</span><span class="s">script</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">style</span><span class="sh">"</span><span class="p">]:</span> <span class="n">cleaned</span> <span class="o">=</span> <span class="n">data</span><span class="p">.</span><span class="nf">strip</span><span class="p">()</span> <span class="k">if</span> <span class="n">cleaned</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">text_content</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">cleaned</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_text</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">return</span> <span class="sh">"</span><span class="s"> </span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">text_content</span><span class="p">)</span> </code></pre> </div> <h2> 🎨 Image Extraction: Going Beyond Text </h2> <p>Many documents contain valuable information in images. Our system can extract and save images separately:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_extract_and_save_images</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">content</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Extract images from PDF and save to S3</span><span class="sh">"""</span> <span class="n">pdf_document</span> <span class="o">=</span> <span class="n">fitz</span><span class="p">.</span><span class="nf">open</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">local_file_path</span><span class="p">)</span> <span class="k">for</span> <span class="n">page_num</span> <span class="ow">in</span> <span class="nf">range</span><span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">pdf_document</span><span class="p">)):</span> <span class="n">page</span> <span class="o">=</span> <span class="n">pdf_document</span><span class="p">[</span><span class="n">page_num</span><span class="p">]</span> <span class="n">image_list</span> <span class="o">=</span> <span class="n">page</span><span class="p">.</span><span class="nf">get_images</span><span class="p">()</span> <span class="k">for</span> <span class="n">img_index</span><span class="p">,</span> <span class="n">img</span> <span class="ow">in</span> <span class="nf">enumerate</span><span class="p">(</span><span class="n">image_list</span><span class="p">):</span> <span class="n">xref</span> <span class="o">=</span> <span class="n">img</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="n">base_image</span> <span class="o">=</span> <span class="n">pdf_document</span><span class="p">.</span><span class="nf">extract_image</span><span class="p">(</span><span class="n">xref</span><span class="p">)</span> <span class="n">image_bytes</span> <span class="o">=</span> <span class="n">base_image</span><span class="p">[</span><span class="sh">"</span><span class="s">image</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># Generate unique image identifier </span> <span class="n">image_id</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">())</span> <span class="n">image_key</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">images/</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">kb_id</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">image_id</span><span class="si">}</span><span class="s">.</span><span class="si">{</span><span class="n">base_image</span><span class="p">[</span><span class="sh">'</span><span class="s">ext</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="c1"># Upload to S3 </span> <span class="n">self</span><span class="p">.</span><span class="n">s3_client</span><span class="p">.</span><span class="nf">put_object</span><span class="p">(</span> <span class="n">Bucket</span><span class="o">=</span><span class="n">self</span><span class="p">.</span><span class="n">bucket_name</span><span class="p">,</span> <span class="n">Key</span><span class="o">=</span><span class="n">image_key</span><span class="p">,</span> <span class="n">Body</span><span class="o">=</span><span class="n">image_bytes</span> <span class="p">)</span> <span class="c1"># Track image URL in content </span> <span class="n">image_url</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">s3://</span><span class="si">{</span><span class="n">self</span><span class="p">.</span><span class="n">bucket_name</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">image_key</span><span class="si">}</span><span class="sh">"</span> <span class="n">content</span><span class="p">[</span><span class="sa">f</span><span class="sh">"</span><span class="s">page_</span><span class="si">{</span><span class="n">page_num</span><span class="si">}</span><span class="sh">"</span><span class="p">][</span><span class="sh">"</span><span class="s">images</span><span class="sh">"</span><span class="p">].</span><span class="nf">append</span><span class="p">(</span><span class="n">image_url</span><span class="p">)</span> </code></pre> </div> <p>This enables downstream image-to-text processing or multimodal AI applications.</p> <h2> ⚡ Performance Optimization Strategies </h2> <h3> 1. <strong>Graceful Error Handling</strong> </h3> <p>Never let one problematic file crash the entire batch. Keep processing resilient and report partial successes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">process_single_file</span><span class="p">(</span><span class="n">file_data</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">config</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">reader</span> <span class="o">=</span> <span class="nf">get_reader_for_file</span><span class="p">(</span><span class="n">file_data</span><span class="p">,</span> <span class="n">config</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">result</span><span class="sh">"</span><span class="p">:</span> <span class="n">reader</span><span class="p">.</span><span class="nf">process</span><span class="p">()}</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="c1"># Narrow in real code </span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">file_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">file_data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">file_id</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">file_name</span><span class="sh">"</span><span class="p">:</span> <span class="n">file_data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">file_name</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">),</span> <span class="p">}</span> </code></pre> </div> <h3> 2. <strong>Numeric Type Normalization</strong> </h3> <p>Different storage layers (NoSQL, relational ORMs, JSON parsers) may return numeric wrappers. Normalize before serialization:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">normalize_numeric</span><span class="p">(</span><span class="n">value</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="c1"># Integers remain integers; decimals become float for JSON </span> <span class="kn">from</span> <span class="n">decimal</span> <span class="kn">import</span> <span class="n">Decimal</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">value</span><span class="p">,</span> <span class="n">Decimal</span><span class="p">):</span> <span class="k">return</span> <span class="nf">int</span><span class="p">(</span><span class="n">value</span><span class="p">)</span> <span class="k">if</span> <span class="n">value</span> <span class="o">%</span> <span class="mi">1</span> <span class="o">==</span> <span class="mi">0</span> <span class="k">else</span> <span class="nf">float</span><span class="p">(</span><span class="n">value</span><span class="p">)</span> <span class="k">return</span> <span class="n">value</span> <span class="k">except</span> <span class="nb">ImportError</span><span class="p">:</span> <span class="k">return</span> <span class="n">value</span> <span class="k">def</span> <span class="nf">deep_normalize</span><span class="p">(</span><span class="n">obj</span><span class="p">):</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">obj</span><span class="p">,</span> <span class="nb">dict</span><span class="p">):</span> <span class="k">return</span> <span class="p">{</span><span class="n">k</span><span class="p">:</span> <span class="nf">deep_normalize</span><span class="p">(</span><span class="n">v</span><span class="p">)</span> <span class="k">for</span> <span class="n">k</span><span class="p">,</span> <span class="n">v</span> <span class="ow">in</span> <span class="n">obj</span><span class="p">.</span><span class="nf">items</span><span class="p">()}</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">obj</span><span class="p">,</span> <span class="nb">list</span><span class="p">):</span> <span class="k">return</span> <span class="p">[</span><span class="nf">deep_normalize</span><span class="p">(</span><span class="n">i</span><span class="p">)</span> <span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">obj</span><span class="p">]</span> <span class="k">return</span> <span class="nf">normalize_numeric</span><span class="p">(</span><span class="n">obj</span><span class="p">)</span> </code></pre> </div> <h2> 🔧 Putting It All Together: Generic Batch Pipeline </h2> <p>A framework-agnostic example that you can call from a CLI, a web job, or a worker queue:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">process_documents</span><span class="p">(</span><span class="n">files</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">],</span> <span class="n">config</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Process a list of file metadata dictionaries. files: each dict contains at least file_id, file_name, file_type, file_url config: processing flags (e.g., {</span><span class="sh">"</span><span class="s">optical_recognition</span><span class="sh">"</span><span class="s">: True}) </span><span class="sh">"""</span> <span class="n">results</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">f</span> <span class="ow">in</span> <span class="n">files</span><span class="p">:</span> <span class="n">normalized</span> <span class="o">=</span> <span class="nf">deep_normalize</span><span class="p">(</span><span class="n">f</span><span class="p">)</span> <span class="n">results</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="nf">process_single_file</span><span class="p">(</span><span class="n">normalized</span><span class="p">,</span> <span class="n">config</span><span class="p">))</span> <span class="n">summary</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">total</span><span class="sh">"</span><span class="p">:</span> <span class="nf">len</span><span class="p">(</span><span class="n">results</span><span class="p">),</span> <span class="sh">"</span><span class="s">success</span><span class="sh">"</span><span class="p">:</span> <span class="nf">sum</span><span class="p">(</span><span class="mi">1</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">results</span> <span class="k">if</span> <span class="n">r</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">errors</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span><span class="n">r</span> <span class="k">for</span> <span class="n">r</span> <span class="ow">in</span> <span class="n">results</span> <span class="k">if</span> <span class="n">r</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">results</span><span class="sh">"</span><span class="p">:</span> <span class="n">results</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="n">summary</span> <span class="c1"># Example usage: # documents = load_pending_documents_from_store() # outcome = process_documents(documents, {"optical_recognition": False}) # print(json.dumps(outcome, indent=2)) </span></code></pre> </div> <h2> 🚀 Real-World Benefits </h2> <p>This architecture delivers:</p> <ol> <li> <strong>Extensibility</strong>: Add new file formats by creating a new reader class</li> <li> <strong>Flexibility</strong>: Switch between native and OCR processing per document</li> <li> <strong>Scalability</strong>: Works across threads, workers, or serverless functions</li> <li> <strong>Reliability</strong>: Graceful error handling and status tracking</li> <li> <strong>Maintainability</strong>: Clean abstraction layer and consistent interfaces</li> </ol> <h2> 💡 Key Takeaways </h2> <p>Building a production-ready document parsing system requires:</p> <p>✅ <strong>Strong abstraction layer</strong> with base classes defining common interfaces<br><br> ✅ <strong>Format-specific strategies</strong> using the best library for each file type<br><br> ✅ <strong>Dual processing modes</strong> (native + OCR) for maximum coverage<br><br> ✅ <strong>Standardized output</strong> making downstream processing trivial<br><br> ✅ <strong>Robust error handling</strong> to prevent pipeline failures<br><br> ✅ <strong>Performance optimization</strong> through smart dependency management </p> <h2> What's Next? </h2> <p>Consider these enhancements for your parsing system:</p> <ul> <li> <strong>Multimodal processing</strong>: Combine text with image embeddings</li> <li> <strong>Table extraction</strong>: Preserve table structure for structured data</li> <li> <strong>Layout analysis</strong>: Maintain document formatting and hierarchy</li> <li> <strong>Incremental processing</strong>: Handle document updates efficiently</li> <li> <strong>Quality metrics</strong>: Track extraction confidence and completeness</li> </ul> <h2> Conclusion </h2> <p>Document parsing doesn't have to be painful. With the right architecture—abstraction, format-specific strategies, and intelligent processing modes—you can build a system that handles any file format thrown at it.</p> <p>The key is to think in terms of <strong>interfaces, not implementations</strong>. By defining a clear contract through the <code>BaseReader</code> class, you create a system that's both powerful and maintainable.</p> <p>Whether you're building a knowledge base, search engine, or AI application, these patterns will serve you well. Start with the formats you need today, and confidently add new ones tomorrow.</p> <p><em>Have you built a document parsing system? What challenges did you face? Share your experiences in the comments below!</em></p> <h2> Resources </h2> <ul> <li> <strong>PyPDF2</strong>: PDF text extraction</li> <li> <strong>openpyxl</strong>: Excel file processing</li> <li> <strong>python-docx</strong>: Word document handling</li> <li> <strong>python-pptx</strong>: PowerPoint processing</li> <li> <strong>AWS Textract</strong>: OCR service for images and scanned documents</li> <li> <strong>PyMuPDF (fitz)</strong>: PDF image extraction</li> </ul> <h2> About the Author </h2> <p>Written by Suraj Khaitan<br> — Gen AI Architect | Working on serverless AI &amp; cloud platforms.</p> ai python datascience programming Suraj Khaitan Sat, 15 Nov 2025 09:05:11 +0000 https://dev.to/suraj_khaitan_f893c243958/building-a-production-ready-langgraph-style-agent-from-raw-documents-to-structured-intelligence-562m https://dev.to/suraj_khaitan_f893c243958/building-a-production-ready-langgraph-style-agent-from-raw-documents-to-structured-intelligence-562m <p>A pragmatic walkthrough of orchestrating extraction, summarization, memory, and routing using graph patterns and modular agent components—fully generic.</p> <ol> <li><p>Why Another “Agent” Article?<br> Most write‑ups about agents stop at toy examples. This guide focuses on practical layering: ingest unstructured content (like PDFs), extract what matters, summarize with guardrails, persist long‑term memory, and route requests through specialized workflows—while keeping everything cloud‑friendly and composable. All patterns are standalone; you do not need any specific repository.</p></li> <li><p>Conceptual Architecture (LangGraph Pattern)<br> We adopt a graph mindset (inspired by LangGraph) where each node encapsulates a responsibility:</p></li> </ol> <p>Ingestion Node: Accepts user query + optional file references.<br> Extraction Node: Pulls raw text from uploaded documents (e.g., PDFs in object storage).<br> Summarization Node: Produces structured or free‑form summaries (LLM with JSON schema enforcement).<br> Memory Node: Persists distilled knowledge for subsequent sessions.<br> Routing Node: Selects workflow type (foundation / RAG / extractor) based on config.<br> Output Node: Returns assistant response + structural content for UI or downstream processes.<br> Represented abstractly:</p> <p>User Input --&gt; [Router] --&gt; (Foundation | RAG | Extractor)<br> | | |<br> [Summarizer] [Retriever] [Text Parser]<br> \ | /<br> [Memory &amp; Persist]<br> |<br> [Response]</p> <ol> <li>Core Building Blocks 3.1 Structured Summarization The summarizer turns extracted content plus an existing structural scaffold into a validated JSON object. Generic pattern:</li> </ol> <p>def summarize_json(state: Message, llm: ChatBedrock, schema: dict) -&gt; dict:<br> DynamicModel = json_schema_to_pydantic(schema)<br> structured_llm = llm.with_structured_output(DynamicModel)<br> system_context = f"CONTENT: {state.content}\nSTRUCTURED_OUTPUT: {state.structural_content}"<br> messages = [<br> SystemMessage(content=system_context),<br> HumanMessage(content="Summarize and fill the schema accurately."),<br> ]<br> result = structured_llm.invoke(messages)<br> return result.model_dump()<br> Key takeaways:</p> <p>Use JSON Schema → dynamic Pydantic model for strong typing.<br> Keep prompt minimal; the schema drives completeness.<br> Separate raw content (unstructured text) from structural_content (prior structured context or template fields).<br> 3.2 Generic Generation (Content vs Structure)<br> Switch temperature / max tokens depending on output goal:</p> <p>def generate(context: dict | str, prompt: str, llm: ChatBedrock, structured: bool = False):<br> ctx = json.dumps(context, indent=2) if isinstance(context, dict) else context<br> messages = [<br> SystemMessage(content=prompt),<br> HumanMessage(content=f"Structured data:\n{ctx}\n"),<br> ]<br> resp = llm.invoke(messages)<br> raw = resp.model_dump().get("content", "").strip()<br> # Try JSON first, fall back to text<br> try:<br> parsed = json.loads(raw)<br> return parsed if isinstance(parsed, dict) else raw<br> except Exception:<br> return raw<br> 3.3 Workflow Routing (Generic)<br> The router inspects configuration (e.g., workflow_type) and dynamically dispatches:</p> <p>def run_agent(request: AgentMessageRequest) -&gt; Message:<br> cfg = load_config()<br> workflow = cfg.get("workflow_type", "foundation")<br> if workflow == "rag":<br> return run_rag(request) # retrieval + synthesis path<br> if workflow == "extractor":<br> return run_extractor(request) # text parsing path<br> # Foundation path<br> crew = FoundationCrew() # sets up Agent + Task<br> result = crew.crew.kickoff(inputs={"query": request.message})<br> return Message(<br> role="assistant",<br> structural_content={"response": str(result.raw)},<br> content=str(result.raw),<br> metadata={"workflow_type": workflow, "status": "success"},<br> )<br> Routing Principles:</p> <p>Keep each specialized agent self‑contained.<br> Avoid heavy if/else trees by mapping workflow keys to callables.<br> Return a unified Message model to downstream consumers.<br> 3.4 Memory &amp; Persistence<br> Persist long‑term summaries (e.g., DynamoDB, PostgreSQL, Redis) via a memory node. Simplified pattern:</p> <p>def persist_summary(state: Message, user_id: str, session_id: str, table) -&gt; None:<br> summary_blob = summarize_json(state, llm, schema)<br> item = {<br> "user_id": user_id,<br> "session_id": session_id,<br> "session_time": iso_now_utc(),<br> "agent_summary": json.dumps(summary_blob),<br> }<br> table.put_item(Item=item)</p> <p>def load_memory(user_id: str, session_id: str, table) -&gt; dict | None:<br> resp = table.get_item(Key={"user_id": user_id, "session_id": session_id})<br> return resp.get("Item")<br> Add caching for reads; keep writes idempotent when possible.</p> <p>3.5 Asynchronous Fan‑Out (Optional)<br> Queue raw payloads for UI updates / analytics:</p> <p>def enqueue_payload(message: AgentMessageResponse, queue_url: str, sqs_client) -&gt; None:<br> body = json.dumps(message.model_dump())<br> sqs_client.send_message(QueueUrl=queue_url, MessageBody=body)</p> <ol> <li>Text Extraction Use Case (Generic Flow) An end‑to‑end invocation typically looks like this:</li> </ol> <p>Deploy supporting infra (locally or remote) – object storage, agent endpoint.<br> Upload PDFs to a bucket.<br> POST an agent payload referencing uploaded file keys.<br> Receive structured summary / overview.<br> Condensed generic flow:</p> <p>pdf_files = discover_local_pdfs("./samples")<br> for path in pdf_files:<br> s3_key = upload_pdf(path, bucket)<br> payload = {<br> "message": "Give me a concise overview.",<br> "sessionId": uuid.uuid4().hex,<br> "metadata": {"files": [s3_key]},<br> }<br> resp = requests.post(agent_url, headers=auth_headers(), json=payload)<br> print(parse_summary(resp.json()))<br> Guidelines:</p> <p>Keep uploads batched to reduce auth overhead.<br> Return both human‑readable content and machine‑friendly structural_content.<br> Enforce timeouts; PDFs can be large.</p> <ol> <li>Optional: A Minimal LangGraph-Style Graph Definition If you formalize nodes with LangGraph, a simple graph assembly could look like:</li> </ol> <p>from langgraph.graph import Graph</p> <p>graph = Graph()<br> graph.add_node("route", route_node)<br> graph.add_node("extract", extract_node)<br> graph.add_node("summarize", summarize_node)<br> graph.add_node("memory", memory_node)<br> graph.add_node("respond", respond_node)</p> <p>graph.add_edge("route", "extract")<br> graph.add_edge("extract", "summarize")<br> graph.add_edge("summarize", "memory")<br> graph.add_edge("memory", "respond")</p> <p>app = graph.compile()<br> result = app.invoke({"message": "Summarize the uploaded docs", "files": file_keys})<br> print(result["content"])<br> Design Notes:</p> <p>Each node keeps a single responsibility.<br> The compiled graph enforces explicit data flow—easier to test.<br> Inject observability (timers, counters) at node boundaries.</p> <ol> <li>Production Hardening Checklist Input Validation: Reject oversized or malformed files early. Structured Output Enforcement: Fail fast if schema fields are missing. Idempotency: Re‑summarize only when source or config changes. Observability: Log node start/end + latency; emit metrics per workflow. Cost Controls: Cache summaries; adjust temperature and max_tokens conservatively. Security: Signed URLs for document retrieval; strict auth on agent endpoint. Drift Handling: Maintain versioned JSON schemas for structured outputs.</li> <li>Common Pitfalls Overstuffing the system prompt—better to pass clean content + minimal instruction. Mixing storage concerns (session state) with transformation logic—keep memory node isolated. Ignoring error surfaces: always wrap LLM calls and return structured error objects.</li> <li>Extending the Graph Add an Evaluation Node: Auto‑grade summaries against reference heuristics. Add a Retrieval Node: Hybrid semantic + metadata filtering before summarization. Add a Redaction Node: Strip PII before persistence.</li> <li>Try It Yourself (Generic Mini Script) def quick_demo(file_paths: list[str]): # Pretend upload + extraction extracted_chunks = [open(p, encoding="utf-8").read()[:4000] for p in file_paths] merged = "\n".join(extracted_chunks) state = Message(role="user", content=merged, structural_content={"sections": []}) llm = return_llm() # any provider instance (Bedrock, OpenAI, local, etc.) schema = {"type": "object", "properties": {"summary": {"type": "string"}}} summary = summarize_json(state, llm, schema) print("Summary:\n", summary["summary"])</li> <li>Conclusion A production‑ready agent is not magic—it is a disciplined composition of small, testable nodes: routing, extraction, summarization, memory, and output shaping. By expressing the system as a graph, you gain clarity, resilience, and extensibility. Start simple (foundation workflow), then layer retrieval, structured output, and long‑term memory as concrete value drivers.</li> </ol> <p>Questions or improvements you want to explore next (e.g., evaluation, caching, or multi‑modal inputs)? Turn each responsibility into a node, experiment, and iterate.</p> <p>Happy building.</p> <p>About the Author<br> Written by Suraj Khaitan — Gen AI Architect | Working on serverless AI &amp; cloud platforms.</p> agents ai aws python Suraj Khaitan Sun, 09 Nov 2025 04:59:40 +0000 https://dev.to/suraj_khaitan_f893c243958/building-a-scalable-agent-to-agent-a2a-communication-protocol-on-aws-1g0i https://dev.to/suraj_khaitan_f893c243958/building-a-scalable-agent-to-agent-a2a-communication-protocol-on-aws-1g0i <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimages.unsplash.com%2Fphoto-1620712943543-bcc4688e7485%3Fw%3D1200" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimages.unsplash.com%2Fphoto-1620712943543-bcc4688e7485%3Fw%3D1200" alt="Agent-to-Agent Communication" width="800" height="1000"></a></p> <h2> Introduction </h2> <p>In the rapidly evolving landscape of AI agents and autonomous systems, enabling seamless communication between different agents has become crucial. The Agent-to-Agent (A2A) protocol provides a standardized way for AI agents to interact, exchange messages, and coordinate tasks. In this article, I'll walk you through our implementation of an A2A gateway built on AWS serverless architecture.</p> <h2> What is Agent-to-Agent (A2A) Communication? </h2> <p>Agent-to-Agent communication is a protocol that allows different AI agents to interact with each other in a standardized way. Think of it as an API contract specifically designed for agent interactions. Rather than having agents communicate through proprietary interfaces, A2A provides:</p> <ul> <li> <strong>Standardized message formats</strong> using JSON-RPC</li> <li> <strong>Task lifecycle management</strong> (submit, track, cancel)</li> <li> <strong>Context preservation</strong> across multi-turn conversations</li> <li> <strong>Asynchronous processing</strong> with polling-based status checks</li> <li> <strong>Secure authentication</strong> between agents</li> </ul> <h2> Architecture Overview </h2> <p>Our A2A implementation leverages AWS serverless services to create a scalable, cost-effective solution:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────┐ │ Client │ │ Agent │ └──────┬──────┘ │ HTTPS + JWT ▼ ┌─────────────────────┐ │ API Gateway │ │ Custom Authorizer │ └──────┬──────────────┘ │ ▼ ┌─────────────────────┐ │ Lambda (FastAPI) │ │ A2A Gateway │ └──────┬──────────────┘ │ ├──────────┬─────────┐ ▼ ▼ ▼ ┌──────────┐ ┌──────┐ ┌──────────┐ │ DynamoDB │ │ SQS │ │ Secrets │ │ Tasks │ │Queue │ │ Manager │ └──────────┘ └──────┘ └──────────┘ </code></pre> </div> <h3> Key Components </h3> <ol> <li> <strong>API Gateway with Custom Authorizer</strong>: Validates JWT tokens and enforces scope-based access control</li> <li> <strong>FastAPI Lambda Function</strong>: Handles JSON-RPC requests and implements the A2A protocol</li> <li> <strong>DynamoDB</strong>: Stores task state and history with efficient querying via GSI</li> <li> <strong>SQS</strong>: Decouples message submission from agent processing</li> <li> <strong>AWS Secrets Manager</strong>: Securely manages signing keys for inter-service communication</li> </ol> <h2> Core Implementation Details </h2> <h3> 1. JSON-RPC Handler </h3> <p>The gateway implements the A2A protocol using JSON-RPC 2.0, supporting three primary operations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="nd">@app.post</span><span class="p">(</span><span class="sh">"</span><span class="s">/a2a</span><span class="sh">"</span><span class="p">,</span> <span class="n">tags</span><span class="o">=</span><span class="p">[</span><span class="sh">"</span><span class="s">A2A</span><span class="sh">"</span><span class="p">])</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">a2a_rpc</span><span class="p">(</span><span class="n">request</span><span class="p">:</span> <span class="n">Request</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">JSONResponse</span><span class="p">:</span> <span class="n">body</span> <span class="o">=</span> <span class="k">await</span> <span class="n">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">a2a_req</span> <span class="o">=</span> <span class="n">A2ARequest</span><span class="p">.</span><span class="nf">model_validate</span><span class="p">(</span><span class="n">body</span><span class="p">)</span> <span class="n">req</span> <span class="o">=</span> <span class="n">a2a_req</span><span class="p">.</span><span class="n">root</span> <span class="k">if</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">SendMessageRequest</span><span class="p">):</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nf">_authorize</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">message.send</span><span class="sh">"</span><span class="p">)</span> <span class="n">req</span> <span class="o">=</span> <span class="nf">_inject_user_id</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">ctx</span><span class="p">[</span><span class="sh">"</span><span class="s">user_id</span><span class="sh">"</span><span class="p">])</span> <span class="n">resp</span> <span class="o">=</span> <span class="k">await</span> <span class="n">rpc</span><span class="p">.</span><span class="nf">on_message_send</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> <span class="k">elif</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">GetTaskRequest</span><span class="p">):</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nf">_authorize</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">task.get</span><span class="sh">"</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="k">await</span> <span class="n">rpc</span><span class="p">.</span><span class="nf">on_get_task</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> <span class="k">elif</span> <span class="nf">isinstance</span><span class="p">(</span><span class="n">req</span><span class="p">,</span> <span class="n">CancelTaskRequest</span><span class="p">):</span> <span class="n">ctx</span> <span class="o">=</span> <span class="nf">_authorize</span><span class="p">(</span><span class="n">request</span><span class="p">,</span> <span class="sh">"</span><span class="s">task.cancel</span><span class="sh">"</span><span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="k">await</span> <span class="n">rpc</span><span class="p">.</span><span class="nf">on_cancel_task</span><span class="p">(</span><span class="n">req</span><span class="p">)</span> </code></pre> </div> <h3> 2. Authentication and Authorization </h3> <p>Security is implemented through a multi-layered approach:</p> <h4> Custom JWT Authorizer </h4> <p>The authorizer validates access tokens from an OAuth provider, checking:</p> <ul> <li>Token signature using JWKS (JSON Web Key Set)</li> <li>Token expiration and validity</li> <li>Issuer and audience claims</li> <li>Required scopes for each operation </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_verify_access_token</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="n">header</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">get_unverified_header</span><span class="p">(</span><span class="n">token</span><span class="p">)</span> <span class="n">kid</span> <span class="o">=</span> <span class="n">header</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">kid</span><span class="sh">"</span><span class="p">)</span> <span class="n">alg</span> <span class="o">=</span> <span class="n">header</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">alg</span><span class="sh">"</span><span class="p">)</span> <span class="n">jwks</span> <span class="o">=</span> <span class="nf">_get_jwks</span><span class="p">()</span> <span class="c1"># Cached JWKS </span> <span class="n">jwk</span> <span class="o">=</span> <span class="nf">next</span><span class="p">((</span><span class="n">k</span> <span class="k">for</span> <span class="n">k</span> <span class="ow">in</span> <span class="n">jwks</span> <span class="k">if</span> <span class="n">k</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">kid</span><span class="sh">"</span><span class="p">)</span> <span class="o">==</span> <span class="n">kid</span><span class="p">),</span> <span class="bp">None</span><span class="p">)</span> <span class="n">claims</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">decode</span><span class="p">(</span> <span class="n">token</span><span class="p">,</span> <span class="n">jwk</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="n">alg</span><span class="p">],</span> <span class="n">audience</span><span class="o">=</span><span class="n">API_AUDIENCE</span><span class="p">,</span> <span class="n">issuer</span><span class="o">=</span><span class="n">ISSUER</span> <span class="p">)</span> <span class="k">return</span> <span class="n">claims</span> </code></pre> </div> <h4> Scope-Based Access Control </h4> <p>Different operations require specific scopes:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Operation</th> <th>Required Scope</th> </tr> </thead> <tbody> <tr> <td>Send Message</td> <td><code>tasks:submit</code></td> </tr> <tr> <td>Get Task Status</td> <td><code>tasks:read</code></td> </tr> <tr> <td>Cancel Task</td> <td><code>tasks:cancel</code></td> </tr> </tbody> </table></div> <h4> Inter-Service Authentication </h4> <p>For communication between the A2A gateway and backend agents, we mint short-lived JWTs (60 seconds TTL):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">mint_agent_token</span><span class="p">(</span><span class="n">user_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">ttl_seconds</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">60</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">now</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">())</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="sh">"</span><span class="s">iss</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">a2a-gateway</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">aud</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">agent</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">sub</span><span class="sh">"</span><span class="p">:</span> <span class="n">user_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">iat</span><span class="sh">"</span><span class="p">:</span> <span class="n">now</span><span class="p">,</span> <span class="sh">"</span><span class="s">exp</span><span class="sh">"</span><span class="p">:</span> <span class="n">now</span> <span class="o">+</span> <span class="n">ttl_seconds</span><span class="p">,</span> <span class="p">}</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="n">payload</span><span class="p">,</span> <span class="n">secret</span><span class="p">,</span> <span class="n">algorithm</span><span class="o">=</span><span class="sh">"</span><span class="s">HS256</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 3. Task Management and State Machine </h3> <p>Tasks follow a clear lifecycle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>submitted → working → completed ↘ failed ↘ canceled </code></pre> </div> <h4> DynamoDB Schema </h4> <p>We use a single-table design with a Global Secondary Index for efficient querying:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">A2ADatabase</span><span class="p">(</span><span class="n">BaseModel</span><span class="p">):</span> <span class="c1"># Primary Key: Task-centric access </span> <span class="n">pk</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># Task#{task_id} </span> <span class="n">sk</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># Event#{timestamp}#{uuid} </span> <span class="c1"># GSI: Session-centric access </span> <span class="n">gsi1_pk</span><span class="p">:</span> <span class="nb">str</span> <span class="c1"># session_id </span> <span class="n">gsi1_sk</span><span class="p">:</span> <span class="nb">int</span> <span class="c1"># created_at_ms </span> <span class="c1"># Domain fields </span> <span class="n">session_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">task_id</span><span class="p">:</span> <span class="nb">str</span> <span class="n">state</span><span class="p">:</span> <span class="n">TaskState</span> <span class="n">message</span><span class="p">:</span> <span class="nb">str</span> <span class="n">metadata</span><span class="p">:</span> <span class="nb">dict</span> </code></pre> </div> <p>This schema enables:</p> <ul> <li>Fast task status lookups using the primary key</li> <li>Chronological event history per task</li> <li>Session-based queries via GSI</li> <li>Optimistic concurrency through monotonic timestamps</li> </ul> <h3> 4. Asynchronous Processing with Polling </h3> <p>Rather than implementing real-time streaming (complex in API Gateway + Lambda), we use a polling model:</p> <h4> Message Send Flow </h4> <ol> <li> <strong>Client sends message</strong>: Initial request creates a task in <code>submitted</code> state</li> <li> <strong>Immediate response</strong>: Returns task ID with <code>submitted</code> status</li> <li> <strong>Background processing</strong>: Message queued to SQS for agent processing</li> <li> <strong>Client polls</strong>: Periodically calls <code>tasks/get</code> to check status (recommended: 15-second intervals)</li> <li> <strong>Task completion</strong>: Agent updates task to <code>completed</code> with response artifact </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">on_message_send</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">params</span><span class="p">:</span> <span class="n">MessageSendParams</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Task</span><span class="p">:</span> <span class="c1"># Check if polling existing task </span> <span class="k">if</span> <span class="n">params</span><span class="p">.</span><span class="n">message</span><span class="p">.</span><span class="n">task_id</span><span class="p">:</span> <span class="k">return</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">on_get_task</span><span class="p">(</span> <span class="nc">TaskQueryParams</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">params</span><span class="p">.</span><span class="n">message</span><span class="p">.</span><span class="n">task_id</span><span class="p">)</span> <span class="p">)</span> <span class="c1"># Create new task </span> <span class="n">task_id</span> <span class="o">=</span> <span class="nf">str</span><span class="p">(</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">())</span> <span class="n">session_id</span> <span class="o">=</span> <span class="nf">get_session_id</span><span class="p">(</span><span class="n">params</span><span class="p">)</span> <span class="c1"># Store in DynamoDB </span> <span class="n">_table</span><span class="p">.</span><span class="nf">put_item</span><span class="p">(</span><span class="n">Item</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">pk</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Task#</span><span class="si">{</span><span class="n">task_id</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">session_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">session_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">state</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">submitted</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="nf">get_message_text</span><span class="p">(</span><span class="n">params</span><span class="p">),</span> <span class="c1"># ... other fields </span> <span class="p">})</span> <span class="c1"># Queue for processing </span> <span class="n">sqs_client</span><span class="p">.</span><span class="nf">send_message</span><span class="p">(</span> <span class="n">QueueUrl</span><span class="o">=</span><span class="n">SQS</span><span class="p">,</span> <span class="n">MessageBody</span><span class="o">=</span><span class="n">message_body</span> <span class="p">)</span> <span class="k">return</span> <span class="nc">Task</span><span class="p">(</span> <span class="nb">id</span><span class="o">=</span><span class="n">task_id</span><span class="p">,</span> <span class="n">context_id</span><span class="o">=</span><span class="n">session_id</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="nc">TaskStatus</span><span class="p">(</span><span class="n">state</span><span class="o">=</span><span class="n">TaskState</span><span class="p">.</span><span class="n">submitted</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <h3> 5. Task Cancellation </h3> <p>Clients can cancel tasks that haven't completed:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">on_cancel_task</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="n">params</span><span class="p">:</span> <span class="n">TaskIdParams</span> <span class="p">)</span> <span class="o">-&gt;</span> <span class="n">Task</span><span class="p">:</span> <span class="n">task</span> <span class="o">=</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">on_get_task</span><span class="p">(</span> <span class="nc">TaskQueryParams</span><span class="p">(</span><span class="nb">id</span><span class="o">=</span><span class="n">params</span><span class="p">.</span><span class="nb">id</span><span class="p">)</span> <span class="p">)</span> <span class="k">if</span> <span class="n">task</span><span class="p">.</span><span class="n">status</span><span class="p">.</span><span class="n">state</span> <span class="o">==</span> <span class="n">TaskState</span><span class="p">.</span><span class="n">completed</span><span class="p">:</span> <span class="k">return</span> <span class="n">task</span> <span class="c1"># Cannot cancel completed tasks </span> <span class="c1"># Update state to canceled </span> <span class="n">_table</span><span class="p">.</span><span class="nf">put_item</span><span class="p">(</span><span class="n">Item</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">pk</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Task#</span><span class="si">{</span><span class="n">params</span><span class="p">.</span><span class="nb">id</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">state</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">canceled</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Task cancelled by user.</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># ... other fields </span> <span class="p">})</span> <span class="k">return</span> <span class="nc">Task</span><span class="p">(</span> <span class="nb">id</span><span class="o">=</span><span class="n">params</span><span class="p">.</span><span class="nb">id</span><span class="p">,</span> <span class="n">status</span><span class="o">=</span><span class="nc">TaskStatus</span><span class="p">(</span><span class="n">state</span><span class="o">=</span><span class="n">TaskState</span><span class="p">.</span><span class="n">canceled</span><span class="p">)</span> <span class="p">)</span> </code></pre> </div> <h2> Best Practices and Lessons Learned </h2> <h3> 1. Monotonic Timestamps for Event Ordering </h3> <p>We encountered a subtle bug where rapid successive events could have the same millisecond timestamp, causing sort key collisions. Solution: maintain a module-level counter to ensure monotonically increasing timestamps.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">_LAST_EVENT_MS</span><span class="p">:</span> <span class="nb">int</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">def</span> <span class="nf">_next_event_ms</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">int</span><span class="p">:</span> <span class="k">global</span> <span class="n">_LAST_EVENT_MS</span> <span class="n">now_ms</span> <span class="o">=</span> <span class="nf">int</span><span class="p">(</span><span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">)</span> <span class="k">if</span> <span class="n">now_ms</span> <span class="o">&lt;=</span> <span class="n">_LAST_EVENT_MS</span><span class="p">:</span> <span class="n">now_ms</span> <span class="o">=</span> <span class="n">_LAST_EVENT_MS</span> <span class="o">+</span> <span class="mi">1</span> <span class="n">_LAST_EVENT_MS</span> <span class="o">=</span> <span class="n">now_ms</span> <span class="k">return</span> <span class="n">now_ms</span> </code></pre> </div> <h3> 2. JWKS Caching with Fallback </h3> <p>Fetching JWKS on every request is inefficient. We implemented a cache with graceful degradation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">_get_jwks</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">]:</span> <span class="n">now</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="k">if</span> <span class="n">_JWKS</span><span class="p">[</span><span class="sh">"</span><span class="s">keys</span><span class="sh">"</span><span class="p">]</span> <span class="ow">and</span> <span class="n">now</span> <span class="o">-</span> <span class="n">_JWKS</span><span class="p">[</span><span class="sh">"</span><span class="s">at</span><span class="sh">"</span><span class="p">]</span> <span class="o">&lt;</span> <span class="n">CACHE_TTL</span><span class="p">:</span> <span class="k">return</span> <span class="n">_JWKS</span><span class="p">[</span><span class="sh">"</span><span class="s">keys</span><span class="sh">"</span><span class="p">]</span> <span class="k">try</span><span class="p">:</span> <span class="n">keys</span> <span class="o">=</span> <span class="nf">_fetch_jwks</span><span class="p">()</span> <span class="n">_JWKS</span><span class="p">.</span><span class="nf">update</span><span class="p">({</span><span class="sh">"</span><span class="s">keys</span><span class="sh">"</span><span class="p">:</span> <span class="n">keys</span><span class="p">,</span> <span class="sh">"</span><span class="s">at</span><span class="sh">"</span><span class="p">:</span> <span class="n">now</span><span class="p">})</span> <span class="k">return</span> <span class="n">keys</span> <span class="k">except</span> <span class="nb">Exception</span><span class="p">:</span> <span class="k">if</span> <span class="n">_JWKS</span><span class="p">[</span><span class="sh">"</span><span class="s">keys</span><span class="sh">"</span><span class="p">]:</span> <span class="c1"># Use stale cache </span> <span class="k">return</span> <span class="n">_JWKS</span><span class="p">[</span><span class="sh">"</span><span class="s">keys</span><span class="sh">"</span><span class="p">]</span> <span class="k">raise</span> </code></pre> </div> <h3> 3. Comprehensive Logging </h3> <p>Structured logging is crucial for debugging distributed systems:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span> <span class="sh">"</span><span class="s">on_message_send created | task_id=%s sessionId=%s</span><span class="sh">"</span><span class="p">,</span> <span class="n">task_id</span><span class="p">,</span> <span class="n">sessionId</span> <span class="p">)</span> </code></pre> </div> <h3> 4. Consistent Read for Status Checks </h3> <p>DynamoDB's eventual consistency can cause race conditions. Always use <code>ConsistentRead=True</code> when checking task status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">r</span> <span class="o">=</span> <span class="n">_table</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span> <span class="n">KeyConditionExpression</span><span class="o">=</span><span class="p">...,</span> <span class="n">ConsistentRead</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="c1"># Critical! </span> <span class="n">Limit</span><span class="o">=</span><span class="mi">1</span> <span class="p">)</span> </code></pre> </div> <h3> 5. Proper Error Handling </h3> <p>Implement JSON-RPC compliant error responses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">except</span> <span class="n">ValidationError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">return</span> <span class="nc">JSONResponse</span><span class="p">(</span> <span class="nc">JSONRPCErrorResponse</span><span class="p">(</span> <span class="nb">id</span><span class="o">=</span><span class="n">request_id</span><span class="p">,</span> <span class="n">error</span><span class="o">=</span><span class="nc">InternalError</span><span class="p">(</span> <span class="n">message</span><span class="o">=</span><span class="sh">"</span><span class="s">Invalid request</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">e</span><span class="p">.</span><span class="nf">json</span><span class="p">())</span> <span class="p">)</span> <span class="p">).</span><span class="nf">model_dump</span><span class="p">(</span><span class="n">mode</span><span class="o">=</span><span class="sh">"</span><span class="s">json</span><span class="sh">"</span><span class="p">),</span> <span class="n">status_code</span><span class="o">=</span><span class="mi">200</span> <span class="c1"># JSON-RPC errors still return 200 </span> <span class="p">)</span> </code></pre> </div> <h2> Performance Considerations </h2> <h3> Scalability </h3> <ul> <li> <strong>Lambda concurrency</strong>: Automatically scales to handle traffic spikes</li> <li> <strong>DynamoDB on-demand</strong>: Scales with request volume without capacity planning</li> <li> <strong>SQS buffering</strong>: Smooths traffic bursts to backend agents</li> <li> <strong>Stateless design</strong>: No sticky sessions or state management overhead</li> </ul> <h3> Cost Optimization </h3> <ul> <li> <strong>Lambda cold starts</strong>: Mitigated by keeping functions warm during business hours</li> <li> <strong>DynamoDB query efficiency</strong>: Single-table design with targeted queries</li> <li> <strong>Secret caching</strong>: Reduces Secrets Manager API calls by 99%</li> <li> <strong>JWKS caching</strong>: Avoids repeated HTTPS calls to OAuth provider</li> </ul> <h2> Security Highlights </h2> <ol> <li> <strong>Defense in depth</strong>: Multiple authentication layers (OAuth, scopes, inter-service JWTs)</li> <li> <strong>Least privilege</strong>: Scope-based access control ensures clients can only perform authorized operations</li> <li> <strong>Short-lived tokens</strong>: Agent tokens expire in 60 seconds</li> <li> <strong>HTTPS only</strong>: All communication encrypted in transit</li> <li> <strong>No sensitive data in logs</strong>: User IDs and task IDs only, no message content</li> </ol> <h2> Future Enhancements </h2> <p>While our current implementation is production-ready, several enhancements could be valuable:</p> <ol> <li> <strong>WebSocket support</strong>: For real-time updates instead of polling</li> <li> <strong>Event-driven notifications</strong>: SNS/EventBridge for push notifications</li> <li> <strong>GraphQL interface</strong>: Alternative to JSON-RPC for more flexible queries</li> <li> <strong>Multi-region deployment</strong>: For global low-latency access</li> <li> <strong>Enhanced observability</strong>: X-Ray tracing and CloudWatch Insights dashboards</li> </ol> <h2> Conclusion </h2> <p>Building a robust A2A gateway on AWS requires careful consideration of security, scalability, and reliability. By leveraging serverless services and implementing best practices like:</p> <ul> <li>Proper authentication and authorization</li> <li>Asynchronous processing with polling</li> <li>Monotonic event ordering</li> <li>Comprehensive error handling</li> <li>Strategic caching</li> </ul> <p>We've created a system that can handle enterprise-scale agent interactions while maintaining security and performance.</p> <p>The A2A protocol represents an important step toward interoperable AI agents. As the ecosystem matures, standardized communication protocols will enable rich agent ecosystems where specialized agents can collaborate to solve complex problems.</p> <h2> Key Takeaways </h2> <p>✅ Use JSON-RPC for standardized agent communication<br><br> ✅ Implement multi-layered security with OAuth and scope-based access control<br><br> ✅ Design for asynchronous processing with polling-based status checks<br><br> ✅ Leverage DynamoDB single-table design for efficient task management<br><br> ✅ Cache aggressively but with graceful fallbacks<br><br> ✅ Use monotonic timestamps to prevent race conditions<br><br> ✅ Log structured data for observability </p> <p><strong>About the Implementation</strong>: This A2A gateway is built with Python, FastAPI, AWS Lambda, DynamoDB, SQS, and integrates with OAuth 2.0 providers. It follows the A2A specification and provides a scalable foundation for agent-to-agent communication.</p> <p><em>Have you implemented agent communication protocols? What challenges did you face? Share your experiences in the comments below!</em></p> <h2> About the Author </h2> <p>Written by Suraj Khaitan<br> — Gen AI Architect | Working on serverless AI &amp; cloud platforms.</p> aws python agents a2a